Properly Setting Email SPF Records for WPENGINE, Google Apps, Etc.
An SPF record (Sender Policy Framework) is a DNS record that determines where mail appearing from your domain is allowed to originate from. Having a properly set SPF record means someone spoofing email is much less likely to have any success.
These records are only for servers that SEND mail on behalf of your domain.
Caveat: SPF (and related technology) is not being able to prevent emails from being sent as though they are your domain 100%, since it is up to the receiving mail system to check emails and allow or disallow. We’ll be covering DKIM and Dmarc in a future tutorial but they are related and worthwhile technologies to pursue in your spam-fighting quest.
You may need SPF records for services like:
- Email Provision (Google Apps, Office 365, GoDaddy)
- Email blast services (MailChimp, ConstantContact, Aweber)
- Web Server (WPENGINE, HostGator, MediaTemple)
- Accounting / Invoicing (Freshbooks, Quickbooks Online)
- CRMs (Salesforce, Microsoft Dynamics, Zoho)
SPF Record Formulation
A record begins with v=spf1 and always ends with some form of all.
SPF Qualifiers
The final symbol before “all” determines what a receiving server should do with any email that doesn’t match your specified allowed sources:
"+" Pass (not having a qualifier in front of a mechanism e.g just include:sendgrid.net is the same as a “+”)
"-" Fail
"~" SoftFail
"?" Neutral
If we have a solid handle of all the services a client’s domain is using to send mail we’ll use “-all“. This hard fails all mail that doesn’t match.
If we have some degree of uncertainty we’ll use a SoftFail “~all“.
We will likely use a SoftFail if we aren’t intimately involved in most aspects of a client’s web presence or if we haven’t built it from the ground up. There could be an unknown tool some part of the company is using that you could jeopardize with a Fail.
SPF Mechanisms
What you put in between determines what is allowed. These are called Mechanisms.
We typically only use three mechanisms…
ip4:<ip4-address>
ip6:<ip6-address>
include:<domain>
The ip4 and ip6 mechanisms say “allow mail from these IP addresses or IP ranges”
The “include” mechanism says “look up the SPF record for the DNS zone and add it here”
Common SPF Records
include:relay.mailchannels.net
The following is for posterity and no longer used by WPENGINE
include:sendgrid.net (this is for emails sent from WPENGINE User Portal e.g. backup and restore email notifications)
include:mailgun.org (this is for actual emails sent by the WordPress install)
Google Apps for Work SPF
include:_spf.google.com
FreshBooks SPF
include:_spf.freshbooks.com
Salesforce SPF
include:_spf.salesforce.com
include:servers.mcsv.net
Mandrill
include:spf.mandrillapp.com
ConstantContact SPF
include:spf.constantcontact.com
MailGun
include:mailgun.org
Combine these within the record separated by spaces and in priority order by the highest volume senders to least.
v=spf1 include:_spf.google.com include:sendgrid.net -all
Keep the number of records to a minimum – they must generate less than 10 DNS lookups.
Adding an SPF Record to the DNS
Contrary to there being an actual “SPF” record type this should actually get added as a TXT record for the domain (@). (See RFC 7208)
Here is what it looks like in CloudFlare…
As a final step you should validate and make sure the record is correct. We like to use the MXToolbox’s SPF Lookup and Validation tool.