This article describes in detail how to set up email authentication using the SPF record. For more information on DNS email authentication, see Email - SPF, DKIM, and DMARC.
In this article you will read:
- What is and what is the SPF record for
- How to set up a basic SPF record
- How to set up a detailed SPF record
- Common problems
- Frequently Asked Questions
SPF record
An SPF record is a special DNS record that protects emails from domain name abuse by spam mail.
The sender of the junk mail can set the sender's address almost arbitrarily. However, domains with SPF records define exactly which servers are allowed to send mail with their address. Emails from other servers are then evaluated as spam by the recipient's system.
Many email service providers automatically classify messages from domains without an SPF record as spam or reject them altogether.
Basic SPF record settings
The basic SPF record only works for emails sent from our system. If you have set up domain protection with WEDOS Protection ⧉, or if you are using another protection and email service provider, please follow the chapter Detailed settings of the SPF record.
An SPF record is a DNS record of type TXT. If your domain uses WEDOS DNS servers, set it up according to the DNS Domain Records guide. Note that changes to DNS will take effect within 1 hour.
The basic form of the SPF record for VEDOS mailservers is:
Name TTL Type Data
(empty) 300 TXT v=spf1 mx a include:_spf.we.wedos.net -all
This record works under the following conditions:
- You can only send emails from the web, for example via a form, via our mail services.
- You can only send emails from the mail client via our mail services, or you may have set up mailbox redirection (for more information see the article Emails - Mailbox redirection).
- The domain does not use AAAA records.
- You are not using WEDOS Global Protection ⧉ or any other proxy web protection provider.
If you do not meet any of the points, continue with the instructions in the Detailed Setting the SPF Record chapter.
Detailed SPF record settings
If you need to specify multiple servers and/or rules, combine their SPF records into one. To do this, just list the individual rules between the initial text v=spf1 and the final -all. Separate the rules with spaces.
There can be at most one valid TXT record for SPF in DNS. If you have more than one, none will work.
Rules for individual IP addresses
If you need to include a specific IP address in the entry, prefix it with ip4: or ip6:. Do not insert a space between the prefix and the address itself.
If you have a web server behind a WEDOS Protection ⧉ proxy, add the Webhost's IPv4 and IPv6 (if any) addresses to the base record, which you can find in the Service Addresses table in its details (for detailed instructions, see DNS - A and AAAA records).
v=spf1 mx and ip4:(replace the brackets with the IPv4 address of the webhost) include:_spf.we.wedos.net -all
If you have a AAAA record set up for your domain, but otherwise only use Webhosting and VEDOS emails, add an IPv6 address to the base record.
v=spf1 mx and ip6:(replace the brackets with the IPv6 address of the webhost) include:_spf.we.wedos.net -all
Rules for other providers
If you are sending emails through a provider other than VEDOS, check the form of its SPF record from the documentation or other sources of that provider.
Common problems
Common problems with the SPF record include:
- SPF records for multiple providers do not work
- After adding a domain to WEDOS Protection, emails stopped being delivered
- WEDOS returns emails with SPF message
Broken SPF records from multiple providers
Problem: I have entered the SPF records of all my email providers and they are not working.
Cause: you must have only one SPF record for a given (sub)domain.
Solution: If you have more than one SPF record for a (sub)domain, merge them into one by following the instructions in the Detailed SPF Record Settings chapter.
Broken SPF record for domain on WEDOS Protection
Problem: After adding a domain to the WEDOS Protection SPF record stopped working.
Cause: the IP address of the sending server differs from the IP address listed in the A/AAAA domain type records.
Solution: Add the IP address of the Webhost to the record according to the instructions in the Detailed SPF Record Settings chapter. You can find it in the Service Addresses table in the Web Hosting detail.
Returned emails from WEDOS due to SPF
Problem: Mail sent to email at WEDOS returns with error message Recipient address rejected: Please see
http://www.openspf.net/Why?s=helo;id=sender-domain.tld;ip=XX.XX.XX.XX;r=wes1-mx.
Cause: there is a problem with the SPF on the sender's side: either it is set incorrectly or not at all.
Solution: Until the domain administrator (DNS) fixes the SPF problem, the VEDOS mailservers will reject messages from it.
Frequently Asked Questions
Where do I set the SPF?
It is a DNS record, so set the SPF in the DNS records administration of the DNS provider for your domain.
Why don't you set the SPF record automatically?
Although a basic SPF record is usually sufficient, we don't have enough information about your mail services to set it up correctly in all circumstances. Because setting the SPF record incorrectly can block mail altogether, we leave it up to you to set it up because only you have complete information about the email traffic on your domain.
How do I know if a missing SPF record is the cause of mail not being delivered?
Your emails end up in the recipient's spam folder, or you get an undeliverable email message mentioning a rejection based on an incorrect or missing SPF record. If you are sending emails from the web via the mail() function, the undeliverability may be due to either an SPF record or a missing or incorrect return path parameter.
If I send emails from a subdomain, is it enough to have an SPF record on the main domain?
No, create SPF records for each subdomain you want to send emails from.
What does the -all part of the record mean?
-all means that all mails that do not comply with the rules should be discarded by the server. This is the strictest version of authentication.
Google documentation ⧉ states ~all, you have -all. Does it matter?
The stricter the authentication option (and -all is stricter than ~all), the less likely it is that someone else will successfully impersonate you. The downside is that if the variant -if you do send an email from an unverified source for some reason, the recipient will discard it without further questions. For the variant ~ there's still a chance the report will pass.