E-mail (and internet) was invented long time ago with the assumption only very few people will do evil, but it’s not the case nowadays. It is possible to send e-mail to anyone posing as anyone else (ie: if you own the domain apple.com, you can send email as banana.com).
SPF stands for Sender Policy Framework. Long story short, it is set on the DNS zone record to configure What host is allowed to send email as your domain
Testing If Your Domain Is Setup Properly
The openspf website has list of tools you can use to check if your domain already has SPF setup properly. For example:
- Go to http://www.openspf.org/Why
- Enter the email address you’re sending as on MAIL FROM field and your smtp server under Sender's IP address (eg: smtp.apple.com)
- The tool was originally designed to debug rejection.. so although it passes it will say “your mail server rejected a message because”. If you read further, if your SPF record was correct it should say The domain mycompany.com has authorized to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected., whereas if it’s incorrect it will say The domain mycompany.com has not published an SPF policy. It is possible that the receiving mail server refuses all mail from domains that do not have an SPF policy.
Configuring SPF Record on Your DNS Zone
This can be done on your domain hosting. Add following DNS record to you domain name (eg: mycompany.com)
v=spf1 a mx ?all
This syntax basically says:
- Authorize the IP specified by A record as outbound mailer
- Authorize the IP specified by MX record as outbound mailer
- Mark everything else as Neutral
More Examples
- Authorise any IP whose reverse lookup (via PTR record) resolves to smtp.gmail.com, mark everything else as neutral.
v=spf1 ptr:smtp.gmail.com ?all
Further Reading
- SPF Syntax:
- Excellent article by Jeff Attwood on his Coding Horror blog about sending email through code: http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html
- http://aplawrence.com/Blog/B961.html