SPF Record

Back up to the Email Category
From AAISP Support Site
Revision as of 21:21, 13 November 2019 by AA-Andrew (talk | contribs)


SPF = Sender Policy Framework

From Wikipedia:

SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

Many of the large email providers (Gmail, Yahoo, Office 365) are getting picky about accepting email that has no 'validation' mechanisms. Even if your email is not spam or junk they may treat it as so and either reject the message or put it in the recipients junk folder.

Whilst we don't provide DMARK or DKIM features on our email service customers are are welcome to use their own email servers and configure them as they wish.

However, customers may be able to add a SPF record to their domain to help get their messages through. In short, an SPF record says which email servers are allowed to send messages from you.

Typically, our customers would use smtp.aa.net.uk to send email - however thought must be given to other servers that may also send email from your domain - eg you may have a 3rd party web server or some other service that sends email on our behalf - these would want to be included too.

Error creating thumbnail: File missing

To cover the IP addresses of the A&A email servers, you can include _spf_include.aa.net.uk, eg:

v=spf1 mx include:_spf_include.aa.net.uk ~all


This says to accept email from the mx records (mx) and A&A's published list of IP addresses (include:_spf_include.aa.net.uk) , everything else should be marked as possible junk (~all). This should be added as a domain level TXT record (Typically "@" through a control panel).

This is just a brief example of SPF, the record above will be useful to customers who only send email via smtp.aa.net.uk. There are lots of information and SPF 'generators' on the internet. The main thing to do is to test what you have added by looking at the headers of email that has been received by Gmail/O365 etc)

Example, Looking at Gmail headers

You can send an email to a gmail address, and then look at the received headers to see what Gmail think about the SPF records. (In gmail, open the email, click the 3 dots and select show original)

No spf:

ARC-Authentication-Results: i=1; mx.google.com;
      spf=neutral (google.com: 81.187.30.51 is neither permitted nor denied by best guess record for domain of xx@xx.org.uk) smtp.mailfrom=xx@xx.org.uk

With spf

ARC-Authentication-Results: i=1; mx.google.com;
      spf=pass (google.com: domain of xx@xx.com designates 81.187.30.52 as permitted sender) smtp.mailfrom=xx@xx.com