Monday, March 16, 2009

spam mail - What Everybody Ought to Know About SPF Records

spam mail - What Everybody Ought to Know About SPF Records
Nick Wilsdon · June 17th, 2008
Hopefully you’ve already heard of SPF records, one of the new ways to fight spam across the internet. When a mail server receives an email it can check the DNS zone of the sending domain for a SPF record. That will tell them if the email did indeed come from that domain name, using an authorised SPF address. This stops spammers forging mail headers, i.e. pretending that their email came from your domain when it didn’t. You can read more here.

Why do I need to know this?

SPF records are increasingly being used as a filter for email. That means that failing to put one on your domains (or that of your clients) can result in email being sent directly to the spam bin, bounced back or even deleted.

How does this connect to online marketing?

Well the obvious connection is email marketing. If our client mailouts never make it past the spam bin we have already impacted our conversion rate but this has wider implications. Not using a SPF record can hamper any email communication including support/sales follow-ups and forum/blog thread updates or other user notifications. This is a technical issue for server or domain administrators but many are yet to implement this standard. As the marketer you can suggest and push this good practice.

SPF records and Google/Gmail

Gmail is quickly emerging as one of the main email providers, especially as they push us all towards the utopia of “cloud computing”. They are definitely taking note of SPF as a method to fight spam and have already implimented an SPF test for all incoming email. If you open any email there and click “Show original” from the right hand menu, you will probably see something like this among the blurb:

Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of

That means Google can’t get any positive authentication for this email, i.e. no SPF record exists. The best it can do is be neutral about the test, “neither permitted nor denied”. Now if we have an SPF record set up we get something a lot more positive:

Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)

Much better, we’ve passed the SPF test at Gmail and our emails have improved chances of avoiding the spam folder.

How do I add SPF records?

Very easily as long as you have access to the DNS settings for the domain. SPF records can also be entered as text (TXT) records which are standard entries for DNS providers. Here is a handy wizard which will generate the SPF record for you. This will probably look something like this:

v=spf1 a mx ~all

So the record you would end up in with in your DNS zone will be similar to: IN TXT "v=spf1 a mx ~all"

If you are using scripts to send out emails automatically (i.e. forum or blog) you may need to add settings for your server IP and the account it sends from. Again check the headers on these emails to see the sender details you need to authenticate (“Show original”).

To check if a domain currently has a record use this SPF validation tool. If you want to test a positive result, use this domain ( Any questions, feel free to ask below.

Danny's DNS TXT Record Setting

v=spf1 ip4: a mx ~all

PHP code:


$adminmail = '';

$usermail = '';

$subject = 'test';
$message = 'gan';

mail($usermail, $subject, $message, "From: $adminmail\nX-Mailer: PHP/", "-odb -f $adminmail");

echo 'Done';

No comments: