Skip to content

SPF Records

What is an SPF record?

A SPF (Sender Policy Framework) record specifies which hosts or IP addresses are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain.

In your DNS management interface, create a new TXT record like below.

TXT @ v=spf1 mx ~all

Explanation:

  • TXT indicates this is a TXT record.
  • Enter @ in the name field.
  • v=spf1 indicates this is a SPF record and the SPF record version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged. Possible alternatives are +all, -all, ?all, but they are rarely used.

Note that some DNS managers require you to wrap the SPF record with quotes.

Configuring SPF Policy Agent

We also need to tell our Postfix SMTP server to check for SPF record of incoming emails. This doesn’t help ensure outgoing email delivery but helps with detecting forged incoming emails.

First ensure that you're in a sudo shell and install required packages:

apt install postfix-policyd-spf-python

Then edit the Postfix master process configuration file:

nano /etc/postfix/master.cf

Add the following lines at the end of the file:

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Save and close the file. Next, edit the Postfix main configuration file:

nano /etc/postfix/main.cf

Append the following lines at the end of the file. The first line specifies the Postfix policy agent timeout setting. The following lines will impose restrictions on incoming emails by rejecting unauthorized email and checking the SPF record.

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Save and close the file, then restart Postfix:

service postfix restart

Further Reading: https://support.dnsimple.com/articles/spf-record/