Can someone please explain SPF records in layman's terms?

Toggle sidebar Toggle sidebar
fuzzybabybunny

fuzzybabybunny

Moderator<br>Digital & Video Cameras
Moderator
Jan 2, 2006
10,455
35
91
I am beyond confused on how to properly apply SPF records.

My domain name is bought through GoDaddy.
My website hosting is through MadGenius.
My email is all done through GoogleApps.

I send 99% of my emails under my domain name through GoogleApps.

Sometimes I have php/html forms that reside on my MadGenius server send emails under my domain.

I use the PHP "mail" function to send out emails.

http://php.net/manual/en/function.mail.php

What kinds of SPF records to I need to get, from who, and where do I put them?

When I sent an email to myself via the PHP script, in gmail in the From field I see "fuzzybabybunny via madhost419.madgenius.com".

Gmail's FAQ on this stuff:

https://support.google.com/mail/answer/1311182?hl=en&ctx=mail

Per Google,

"I'm a sender and I don't want my recipients to see the "via" link. What can I do?

Gmail checks whether emails are correctly authenticated. If your messages are sent by a bulk mailing vendor or by third-party affiliates, please publish an SPF record that includes the IPs of the vendor or affiliates which send your messages and sign your messages with a DKIM signature that is associated with your domain."


So it appears that MadGenius is considered a third-party mailing vendor and I still need to publish your SPF records and IPs and get DKIM set up? Despite my website being hosted with them?
 
Last edited:
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,755
13,862
126
www.anyf.ca
I set this up a while back for myself, but TBH I don't know if it's even working because I'm constantly being flagged for spam by various systems such as the barracuda at work, and Microsoft keeps blacklisting my IP. I can never send to anyone who has a hotmail address.

Basically the SPF record is saying that a specific list of IPs is allowed to send mail for your domain. So if someone spoofs your email, their IP wont be in that list, so the spam filter can just stop it right away.

So ex: say your email server is 123.123.123.123, you would edit the SPF record for your domain to say that mail from 123.123.123.123 is legit but everything else is not. So some spammer spoofs your email, but that mail will be coming from 69.69.69.69 which is their server. That saves the spam filter from having to even look at the email content, it will just block it on this bassis alone.

I hope this makes sense, and I hope I'm actually right... but pretty sure that's how it works. Most of the stuff I've read on it is really misleading and hard to understand, and even figuring out the right syntax to use is a pain.
 
fuzzybabybunny

fuzzybabybunny

Moderator<br>Digital & Video Cameras
Moderator
Jan 2, 2006
10,455
35
91
Red Squirrel said:
I set this up a while back for myself, but TBH I don't know if it's even working because I'm constantly being flagged for spam by various systems such as the barracuda at work, and Microsoft keeps blacklisting my IP. I can never send to anyone who has a hotmail address.

Basically the SPF record is saying that a specific list of IPs is allowed to send mail for your domain. So if someone spoofs your email, their IP wont be in that list, so the spam filter can just stop it right away.

So ex: say your email server is 123.123.123.123, you would edit the SPF record for your domain to say that mail from 123.123.123.123 is legit but everything else is not. So some spammer spoofs your email, but that mail will be coming from 69.69.69.69 which is their server. That saves the spam filter from having to even look at the email content, it will just block it on this bassis alone.

I hope this makes sense, and I hope I'm actually right... but pretty sure that's how it works. Most of the stuff I've read on it is really misleading and hard to understand, and even figuring out the right syntax to use is a pain.
Click to expand...

Thanks. So let me try and get this right:

1. My domain name is XYZ.com. Hosted on MadGenius, but all emails are sent through Gmail via GoogleApps.

2. GoogleApps is my primarily used mail server, NOT MadGenius, since most of my emails originate from GoogleApps.

3. HOWEVER, SPF records are hosted and made available on the server that hosts my xyz.com domain. A recipient email server gets an email from Google's servers but labeled as xyz.com domain, so it sends a command to MadGenius, which hosts xyz.com domain and has the SPF records, to see if Google's servers are authorized to be sending email on behalf of my xyz.com domain. Once it checks MadGenius's SPF records for my xyz.com domain, and sees that Google is authorized, it won't mark it as spam.

4. Now, when I send a test email to myself via MadGenius, in Gmail in the "From" field I see "fuzzybabybunny via madhost419.madgenius.com". But this is fine since MadGenius hosts my domain and should automatically be authorized as a legit source of my email. So nothing needs to be done. I don't need to get MadGenius' SPF records, right?

5. I also have other things sending email on my domain's behalf, like my invoicing system, Freshbooks. I need to add the SPF record for Freshbooks to my MadGenius account as well.

Does this sound right?

The takeaway is that it doesn't matter which email server you use for outgoing emails - you have to register those email server SPF records with the website host which hosts your domain name. You can use 20 different email servers sending out emails on your domain's behalf. You have to register all 20 of their SPF records with your primary website host, since the primary website host is the one that will get pinged by recipient email servers to determine the legitimacy of those emails sent on your behalf, right?
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,755
13,862
126
www.anyf.ca
Yep, I'm fairly certain that's how it works. So the recipient, by doing that check, knows the mail is legit, and should not block it. Otherwise without the SPF record it will think that someone might be using google apps to spoof your email. I don't think too many servers will actually do this check and block it outright, but I imagine at one point SPF will be a requirement and more servers will honor it.

You can also do a "all" spf record. Sorta defeats the purpose I guess, but it's a quick way to get stuff to work if you send mail from many servers (Ex: an email cluster where it goes to a random server). Though, I think it looks at the MX, so if you only have one email server chances are the MX is already set to google apps anyway, but does not hurt to have the SPF record anyway.

Hopefully someone else chimes in to confirm what I'm saying though, since I might be mistaking, but pretty sure it's how they work.
 
fuzzybabybunny

fuzzybabybunny

Moderator<br>Digital & Video Cameras
Moderator
Jan 2, 2006
10,455
35
91
Red Squirrel said:
Yep, I'm fairly certain that's how it works. So the recipient, by doing that check, knows the mail is legit, and should not block it. Otherwise without the SPF record it will think that someone might be using google apps to spoof your email. I don't think too many servers will actually do this check and block it outright, but I imagine at one point SPF will be a requirement and more servers will honor it.

You can also do a "all" spf record. Sorta defeats the purpose I guess, but it's a quick way to get stuff to work if you send mail from many servers (Ex: an email cluster where it goes to a random server). Though, I think it looks at the MX, so if you only have one email server chances are the MX is already set to google apps anyway, but does not hurt to have the SPF record anyway.

Hopefully someone else chimes in to confirm what I'm saying though, since I might be mistaking, but pretty sure it's how they work.
Click to expand...

I have cpanel and it does not allow me to edit the text directly. In fact, I can't add the -ALL to the end of things. But I guess that's what the "All Entry (ALL)" checkbox is for (below).

This is what it looks like:

http://paragon.media.storage.s3.amazonaws.com/SPF Records.JPG

Does it look right?

Also, do I need that underscore before "spf"? _spf.google.com
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,755
13,862
126
www.anyf.ca
Honestly I'm not too sure about the specifics of how to do it, I did it a while back and have not had to touch it since. In fact I just checked and looks like I commented it out so maybe I had done it wrong. :biggrin: I have to revisit that at some point.

But looking at that control panel I think it looks ok. Not too sure about the underscore though. Was there already entries like that? I would just enter them to match whatever was there. There are sites where you can test your SPF records as well and it will tell you if they are ok or not.
 
D

DaveSimmons

Elite Member
Aug 12, 2001
40,730
670
126
> 3. HOWEVER, SPF records are hosted and made available on the server that hosts my xyz.com domain.

Minor detail but it gets the record from the name server / DNS server for the domain, which might be separated from the WWW server if you're using a DNS service like Amazon Route 53 or some dynamic DNS service.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom