Pick a default.
SPF domains have to publish at least two directives: a version identifier and a default mechanism.
mydomain.com. TXT "v=spf1 -all"
This is the simplest possible SPF record: it means your domain mydomain.com never sends mail.
It makes sense to do this when a domain is only used for web services and doesn’t do email.
But most domains will want to designate permitted hosts using one or more mechanisms.
If your MX servers send mail, designate them.
mydomain.com. TXT "v=spf1 mx -all"
Let’s pretend mydomain.com has two MX servers, mx01 and mx02. They would both be allowed to send mail from mydomain.com.
If other machines in the domain also send mail, designate them.
mydomain.com. TXT "v=spf1 mx ptr -all"
This designates all the hosts whose PTR hostname match mydomain.com.
If any other machines not in the domain also send mail from that domain, designate them.
mydomain.com. TXT "v=spf1 a:mydomain.com mx ptr -all"
mydomain.com’s IP addresses don’t show up in its list of MX servers. So we add an “a” mechanism to the directive set to match them.
mydomain.com. TXT "v=spf1 a mx ptr -all"
This is shorthand for the same thing.
Each of your mail servers should have an SPF record also.
When your mail servers create a bounce message, they will send it using a blank envelope sender:
<>. When an SPF MTA sees a blank envelope sender, it will perform the lookup using the HELO domain name instead. These records take care of that scenario.
mx.mailix.net. TXT "v=spf1 a -all"
Consider creating an SPF record for every other machine in your domain.
Spammers can forge hostnames as well as domain names: to SMTP there is no difference between the two. If they start forging the hostnames of web servers, unix servers, even workstations, you’ll want to create SPF records for those machines also.
If you send mail through another organization’s servers, you should use an Include directive to point to their servers. If they do not have SPF records, maybe they don’t know about SPF. Tell them about it!
(optional) use Include records to share these hosts
If other domains use exactly the same set of hosts, you can set up redirects for them. “Redirect” aliases point to other domains which themselves publish SPF records. This aliasing mechanism makes it possible to easily consolidate multiple domains that share the same set of designated hosts.
That’s it. You’re done.
How to configure Sender of Policy Framework records in the Windows Server 2003 Domain Name System
To configure SPF records in the Windows Server 2003 DNS, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
- In the left pane, expand the DNS server object, and then expand Forward Lookup Zones.
- Right-click the domain folder to which you want to add the SPF record, and then click Other New Records.
- In the Select a resource record type list, click Text (TXT), and then click Create Record.
- If you add a record for the parent domain, leave the Record name box blank. If you do not add a record for the parent domain, type the single part name of the domain in the Record name box.
- In the Text box, type v=spf1 mx -all.
- Click OK, and then click Done.
Note This procedure is for DNS servers that host public DNS records for the domain. If the DNS records are being hosted by an Internet service provider (ISP), contact the ISP to request SPF records for the domain.
For more information about the Sender ID Framework, visit the following Microsoft Web site:
For more information about the practice that is known as phishing, visit the following Microsoft Web site: