How to Configure SPF Record on the ArvanCloud User Panel
Sender Policy Framework (SPF) is a standard security method to protect domains against Email Spoofing attacks and make sure that emails are, without becoming spam, delivered to the users. In an email spoofing attack, the attacker employs a domain to send fake emails to the victims.
What is SPF Record?
The SPF record is a type of TXT record that includes a list of allowed hosts (IP addresses) to send email from a specific domain. The importance of the SPF record is that if you do not define this record on the DNS Management Settings, the email servers such as Yahoo, Gmail, and ... put the email sender domain in the spam list by default.
Steps Before Defining the SPF Record
- Diagnose the email servers which you use to send emails to your audiences. For example, this email server may be one of the followings:
- Web server,
- Email service interfaces such as gsuite, zoho, mailgun, ....
- Provide a list of domains that you use to send emails. If you are an organization having a large number of domains, you probably use only some of them (active domains) to send emails. The essential point is that when defining the SPF record, you should set it for all of the domains over which you have control, even those that you do not use to send emails. Be noted that the domains which you do not use to send emails are the first target of attackers. The reason is that they assume that the SPF has not been applied to secure these domains.
How to Configure the SPF Record
The SPF record is defined in a single text string format similar to the following:
This record always begins with the letter "v." This letter stands for Version and indicates the used SPF version. The SPFv1 is the only version provided for the SPF so far. On the other hand, the above line determines several mechanisms of adaptation. In an ordinary condition and without using the following characters, every mechanism will be checked and implemented.
- +: This character indicates that the defined mechanism has been accepted. In other words, the set host (address) is allowed to send emails. This character is the default choice among mechanisms in the SPF record definition line.
- -: This character indicates that the defined mechanism has been denied. Therefore, if such an option precedes a mechanism, it means that the address specified in the mechanism is not allowed to send emails.
- ~: This character signifies that the mechanism will be accepted; however, the address specified in it will be tagged by non-compliant mail.
- ?: This character indicates that the mechanism has been neither accepted nor denied. However, the acceptance of the host (address) adapted to this mechanism is possible.
The mechanisms that you can use in defining the SPF record are as followings:
- ip4: This mechanism determines the IP addresses allowed to send emails. If the email servers do not support the IPv6, then use ip6 instead of ip4.
- include: Use this mechanism to determine email servers over which you do not have control and to offer email services. For example, we can name include:_spf.google.com.
- all: This phrase refers to everything, and it matches every host and IP. This mechanism is usually found at the end of the other ones. Indeed, it determines how to deal with the IP addresses that do not match any other mechanism in the line.
- all+: It signifies that every server can use your domain to send emails.
- all-: If you apply this phrase to the end of a line consisting of several mechanisms, it means that no other IP or host is allowed to send emails except for those determined in the line. If you employ only this option in defining the SPF record, it means that no server is allowed to send emails.
- ~all: The emails are accepted by servers which are not determined in the other mechanisms. However, they will take the non-compliant mail tag.
- a: This mechanism refers to all addresses within the A record.
- mx: This mechanism determines all of the A records associated with the MX record of every host.
- ptr: The use of this mechanism is to determine the A records associated with the PTR record of every host.
- exists: Use this mechanism to set one or several domains as exceptions.
The SPF Modifiers
Modifiers are a combination of names and values that are separated by a = symbol. They usually stand at the end of the definition line of the SPF record. You can use modifiers only once in defining every record:
- redirect: The redirect modifier is used to refer to another SPF record. You can use this mechanism to apply the same SPF record to several domains. Notice that you can employ the redirect modifier only if you are also the manager of the domain to which you apply the redirect; otherwise, you should use the include mechanism. The following line is an example of how to apply this mechanism:
- exp: Employ this modifier to comment on the reason for the SPF query failure. You can view the comment on the SPF log. The following line includes an example of how to apply this mechanism:
How to Configure SPF Record on the ArvanCloud User Panel
To set the SPF record for your domain, follow these steps:
- Go to the ArvanCloud user panel,
- Open the Cloud DNS section,
- Select Record Management,
- On the DNS Settings section, select TXT for the Record Type field and @ (this symbol refers to your domain) for the Title field,
- Click on the Value option,
- On the open window, type the definition line of the SPF record,
- Click on the Save button,
- Finally, define the record Time to Live value and click on the Add button to create your new record.
Some Practical Examples
Sending Email from Allowed IP Addresses
If you intend to determine the web server on which you have activated the email service as the only server allowed to send emails (for example, imagine that your IP address that is allowed to send emails is: 192.168.243.1), enter the @ character in the Title field and insert the following line in the Value field:
You can add the a+ and mx+ options to the end of the line.
Sending Email from Mailgun.org
As soon as you register the domain on the mailgun email service, the service provides you with the SPF record value.
Then, open the DNS Settings section and insert this phrase into the Value field. For more information, read the A Guide to Mailgun article.
Sending Email from G suite
According to the Google Guide, you must determine the TXT record value like the following example:
However, if you are using several other domains in addition to Google, use one of the following ways to define the value:
For more information, read the A Guide to G suite article.