Setting an SPF/DKIM record with CloudFlare

domain-name-system bind spf cloudflare

8,081

If you haven’t already found www.open-spf.org, it’s a great resource. Pay attention to the SPF vs. Sender ID topic. Check out http://www.open-spf.org/SPF_Record_Syntax for the down and dirty.

If you’re hosting your own mail server and your MX records constitute the only sending servers, you can get away with just the ‘mx’ mechanism.

If you’re using a hosted service for your email (Google Apps for example), or even forwarding outgoing mail from your internal SMTP server to a service like SendGrid, check with those services for specific SPF configuration instructions.

Edited to add better descriptions of SPF, mechanisms, and qualifiers

When a mail exchange that supports the use of SPF receives an email, it looks at the purported domain of the sender ([email protected]) and the IP address of the server that sent the message. The question is, does that IP address have permission to send email on behalf of the sender's domain (sendingdomain.tld)?

To answer this question, the server retrieves the SPF record (stored as a DNS TXT record) from the purported domain (sendingdomain.tld) and checks the sending servers IP address against the that SPF record.

SPF uses mechanisms to create lists of valid sending servers for email. Each mechanism can be qualified with a +, -, ~, or ? prefix (this information was taken from open-spf.org):

'+' means pass (or valid) - Note: This is the default action
'-' means fail (or invalid)
'~' means soft fail (treated by many servers as neutral)
'?' means neutral (validity is neither confirmed nor denied)

When a record is being evaluated, it matches the first mechanism from left to right. If no mechanism matches, the default result is neutral.

In general, the 'All' mechanism matches everything, so...

The '+All' mechanism means, all servers are valid senders for this domain (don't use this option).

The ‘-All’ mechanism fails all sending servers. Use this at the end of an SPF record to override the neutral default result with a fail result. Some services (like Google) warn against this, but I have yet to run in to any problems with it yet.

The ‘~All’ and '?All' mechanisms are the equivalent of saying, “if the sending server doesn't match any of the valid servers listed, don’t worry about it.” Use these for testing SPF records only.

For a full list of mechanisms, refer to open-spf.org's Record Syntax page.

The one other mechanism I'd like to discuss here is, ‘include:< domain >’. This mechanism directs a server parsing an SPF record to include additional mechanisms specified in another SPF record hosted by < domain >.

Examples:

If your domain uses the same servers (as in same IP address) for sending and receiving:

v=spf1 mx –all
The above is equivalent to, v=spf1 +mx –all

If you use Google Apps to host mail, but sometimes use an internal SMTP server for automated messages:

v=spf1 ip:< ip address of internal server > include:_spf.google.com -all

DKIM is a different beast all together. If you’re using a hosted email service, check with that service for instructions. If you hosting your own mail exchange, check with the documentation for your server software to figure out how to implement it. It’s a bit beyond the scope of this question.

8,081

Tiffany Walker

Updated on September 18, 2022

Comments

Tiffany Walker almost 2 years
What is the correct way to setup an SPF record?

Use TXT and add the following?
```
v=spf1 a mx include:mydomain.tld ~all
```
UPDATED:

After using the following:
```
v=spf1 a mx ~all
```
I get this:
```
Received-SPF: temperror (google.com: error in processing during lookup of [email protected]: DNS timeout) client-ip=x.x.218.7;
Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of [email protected]: DNS timeout) [email protected]
Received: from PHPUSERNAME by SERVER.MYDOMAIN.TLD with local (Exim 4.77)
(envelope-from <[email protected]>)
id xxxxxxxxxxxxxxxx
for [email protected];
```
- ceejayoz over 11 years
  
  That depends on how you're sending out e-mails. This has little to do with CloudFlare, and DKIM is an entirely separate setup.
- Tiffany Walker over 11 years
  
  What do you mean by how you are sending out e-mails? This is a new field for me.
- Michael Hampton over 11 years
  
  And remember that ~all basically makes your rule pointless. Use -all once you're sure the rule is working properly and identifies every possible valid sender.
- Tiffany Walker over 11 years
  
  What is the difference between ~all, -all and +all?
Tiffany Walker over 11 years

I set as the following: v=spf1 ip4:x.x.218.7 +a +mx +ip4:x.x.218.7 -all -- all my mail comes and goes from this one server is this right? Also, under the "name" I place the domain, right?
Matthew Johnson over 11 years

That would work, but it looks like you have more than you need. v=spf1 ip4:x.x.218.7 -all should be sufficient. Or even, v=spf1 mx -all would be sufficient since your one and only MX record should point to your one and only server at x.x.218.7.
Matthew Johnson over 11 years

Check out kitterman.com/spf/validate.html to validate your SPF record. I also like to use mxtoolbox.com/spf.aspx.
Matthew Johnson over 11 years

@TiffanyWalker - Sorry I can't comment under your updated post (not enough points yet). I'll update my post above to answer your question about +All/-All/~All. Question about your setup. Does the domain of the email address your testing with match the domain hosting the SPF text record exactly?
Marcello Romani over 3 years

Minor typo: the website is open-spf.org