SPF, part 2: how to configure SPF for a domain

(this is part 2 of a series. You should read part 1 first, and after this post you should read part 3.)

Suppose you have a domain and send email from it (in fact, even if you don’t, this is still a good idea; more about that later). How to configure SPF for it?

Easy: you simply add a specially formatted TXT record to the domain. (Where? If you have your own public DNS servers, you’ll have to edit the zone file1; else, if your domain (note: the domain, not the web server) is maintained by a registrar or ISP, it should provide for you an administration interface where you are able to add and edit records.)

OpenSPF.org provides a “wizard” to build an SPF TXT record for your domain, and I suggest you try it out. However, I think I can give you an example that is mostly self-explanatory, which is the SPF TXT record for my own dehumanizer.com domain:

v=spf1 a a:mail.dehumanizer.com a:sh.dehumanizer.com a:sh2.dehumanizer.com mx include:netcabo.pt -all

(In fact, that record is kind of overkill; I could remove about half of it and everything would still work. But it’s useful as an example.)

v=spf1 means it’s an SPF record.

a means that “dehumanizer.com” (the host that that name resolves to) is authorized for that domain. I could remove that one, as the following one takes care of it (it’s the same host).

a:mail.dehumanizer.com means that mail.dehumanizer.com is authorized. The same for the following two (sh.dehumanizer.com and sh2.dehumanizer.com; the latter doesn’t exist anymore, so I could remove it.)

mx means that the mx records for the domain are also authorized. They’re currently mail.dehumanizer.com and sh.dehumanizer.com, which were previously taken care of, so I could remove this one as well.

include:netcabo.pt means that whatever is authorized for the netcabo.pt domain is also authorized here. This is from when I used my ISP as a smart host, some time ago; as I no longer do that, I could remove this one too.

Finally, -all means, in effect, that, yes, I’m serious about this, all of the authorized servers for this domain are listed, which means that any other hosts are unauthorized, and emails coming from them with a “From:” of this domain should be refused. You should configure this part only after successfully testing your configuration. Until then, there’s a “soft fail” option, ~all, which means the same, but adds “but don’t take it seriously.”

If you’ve been paying attention, you’ve probably already noticed that I could replace that record with the much simpler:

v=spf1 a:mail.dehumanizer.com a:sh.dehumanizer.com -all

for the exact same results (and I’ll probably do that a bit later today.)

What’s the benefit of this? Well, as you are telling the world “mails from my domain come only from my servers”, the rest of the world will more easily be able to kill mails pretending to be from your domain… while also “respecting” legit mail more. In effect, you tell other servers “here’s how you can tell which mails from my domain are genuine”. Many ISPs and filtering systems (such as SpamAssassin) take advantage of a properly configured SPF record to raise the “trustworthiness” of emails coming from the correct servers (while lowering it, or even simply refusing to accept the mail, for messages coming from a server not listed in the SPF record.)

There’s also another (lesser-known) advantage of using SPF for your domain, when you also receive email to it. But that’s for part 3, where I’ll explain how to configure Postfix to look at SPF records when receiving mail…

  1. note: put the entire record contents between quotes; e.g. for Bind, use dehumanizer.com. IN TXT "v=spf1 a a:mail.dehumanizer.com a:sh.dehumanizer.com a:sh2.dehumanizer.com mx include:netcabo.pt -all" (that’s a single line) []

Tags: , , ,

2 Responses to “SPF, part 2: how to configure SPF for a domain”

  1. That is very attention-grabbing, You are an overly skilled
    blogger. I have joined your rss feed and stay up for searching for extra of your magnificent post.
    Additionally, I have shared your website in my social networks

  2. 1 hits, incluindo “KonTiki”, “Terra Maravilhosa”, “Foot Tapper” e “dança”. Em 1962, Jet Harris e Tony Meehan esquerda para atacar por conta própria. Em outras palavras, 87% das descobertas veio das ações de detectorists metal. No entanto, se Bland está correto ao sugerir que existem cerca de 9.000 ou mais detectorists de metal em atividade, os números indicados sugerem que ou muito poucas descobertas estão sendo relatados ao PAS, ou que algumas pessoas relatam

Leave a Reply

Sore Throat

It is a very attractive website built using wonderful features based in Wordpress. It is an informative health care blog regarding:


You can learn more about Simvastatin or Zocor which treats triglyceride and high cholesterol levels in blood. You might need medical attention for Simvastatin side effects.


As a beta blocker Atenolol is a drug used primarily in cardiovascular diseases. Be careful! Please be informed about Atenolol side effects.


It is a receptor blocker used in treatment of several diseases of the cardiovascular system, especially hypertension. Metoprolol side effects must be considered for this drug.


Known also as Yasmin is used for ovulation prevention. Before taking it, read Yaz side effects.


Also known as Sertraline is an antidepressant of the selective serotonin reuptake inhibitor. Consider the related topics:

Do not forget to read also Zoloft side effects since it is well described.


It is used in treatment of hypertension. Before using Lisinopril please refer to Lisinopril side effects to avoid heart problems.


Is an antidepressant medication that belongs to the group of drugs called selective serotonin reuptake inhibitors. Before using Citalopram please refer to Citalopram side effects to avoid problems.

Drug addiction

Be informed for drug addiction facts, drug addiction treatment, drug addicts. Look also for a rehab for heroin and cocaine or other drugs