How to properly set up DNS SPF records?
There are no valid TXT
records for your domain (notice that the test doesn't return any, see below for a working example), which is caused by missing quotes around those TXT
records you defined, as explained e.g. in Record Types Supported:
Unlike with most other record types, for TXT records the Data field is essentially free-form and may even include spaces. Please note: When entering a string that includes spaces, such as SPF records, you must enclose the string in double quotes; otherwise, individual words will be separately quoted and break up the record into multiple parts.
Here are the TXT
records we currently use successfully for Amazon SES as per Authenticating Your Email Address and (it's indeed unfortunate that their documentation doesn't address the quoting needs):
"v=spf1 include:amazonses.com ~all"
"spf2.0/pra include:amazonses.com ~all"
Accordingly, here is our domain's abbreviated result for the test you have been running:
SPF record lookup and validation for: [...]
SPF records are primarily published in DNS as TXT records.
The TXT records found for your domain are:
spf2.0/pra include:amazonses.com ~all
v=spf1 include:amazonses.com ~all
[...]
Checking to see if there is a valid SPF record.
Found v=spf1 record for services.marescom.net:
v=spf1 include:amazonses.com ~all
ylluminate
Updated on July 09, 2022Comments
-
ylluminate almost 2 years
I'm sending weekly emails to subscribers and it turns out that messages are frequently going to the spam folder for users.
I'm utilizing Amazon SES to send these messages and have added an SPF record according to their instructions: http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPFSenderIDDKIM.html?r=3917
In querying the SPF records for my domain I get the following back from http://www.kitterman.com/spf/validate.html:
SPF record lookup and validation for: mydomain.tld SPF records are primarily published in DNS as TXT records. The TXT records found for your domain are: SPF records should also be published in DNS as type SPF records. Type SPF records found for the domain are: Checking to see if there is a valid SPF record. Found v=spf1 record for mydomain.tld: v=spf1 include:amazonses.com ?all evaluating... Results - record processed without error. The result of the test (this should be the default result of your record) was, none . The explanation returned was,
For my CloudFlare DNS records I have:
SPF mydomain.tld v=spf1 include:amazonses.com ?all with automatic TTL TXT mydomain.tld spf2.0/pra include:amazonses.com ?all with automatic TTL
The emails are being sent from "[email protected]" and "[email protected]".
Some users have reported seeing the following message: "Messages that falsely appear to be a "bounced message" response (a system-generated email that you might automatically get after sending a message that can't be delivered such as a message sent to an invalid email address)"
With my current sending solution I can't add a DKIM to the emails.
How can this be resolved so as to ameliorate any kind of receipt issues for our users?
-
ylluminate over 12 yearsAre there TWO txt records for your domain, ie: 1) yourdomain.tld: "v=spf1 include:amazonses.com ~all" and then 2) yourdomain.tld:"spf2.0/pra include:amazonses.com ~all"?
-
Steffen Opel over 12 years@ylluminate: Indeed, though they might not need to be (the test you are running only seems to care about the one you have, see my update) - I never analyzed SPF requirements in detail, rather just applied the existing examples until 2-3 of these SPF tests returned 'all green' ;) The other one stems from Authenticating Email with Sender ID - I've fixed the misleading link now (which went to Authenticating Email with SPF rather than their parent).
-
Steffen Opel over 12 years@ylluminate: Just to clarify (and for later reference) - reading the linked SES documentation and the related RFCs again confirms, that SES currently supports three complimentary authentication mechanisms [...]: SPF, Sender ID, and DKIM. The record you are using already is SPF (obviously), while the 2nd one we are using is Sender ID. Accordingly, you don't require Sender ID, but For the best delivery rates, and to help prevent spoofing and phishing, [AWS recommends] that all Amazon SES users maintain both SPF records (v=spf1) and Sender ID records (spf2.0/pra) in their DNS servers.
-
ylluminate over 12 yearsI was indeed attempting to add SPF and Sender ID. On CloudFlare (my DNS management platform) I have used their SPF record for the SPF and a TXT record for Sender ID. I believe perhaps I could have used their SPF field for both, but I just used these two for the time being. The records seem to be returning properly now thanks to your clarification. You note "all green" in your message above; do you use a testing panel that gives a simple test to verify ns validity for email records such as SPF? Would be interested in what it is if so.
-
Rossitten over 8 yearswill it also take some time to propagate DNS after the mentioned TXT records are added?