Mail Assure Help

Set up SPF

SPF (Sender Policy Framework) is used to restrict which mail servers are allowed to send email for your domain name. This framework is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record which is a specially formatted TEXT record.

An example of an SPF would be : example.com. TXT "v=spf1 -all"

Forwarding emails can sometimes break the SPF. If this is the case we recommend using SRS (Sender Rewriting Scheme - http://www.openspf.org/SRS).

To Set up SPF for a Domain

Existing SPF record

If you have an existing SPF record, you should add "include:spf.mtaroutes.com".

Create new SPF record

  1. If you do not have an existing SPF record, you need to create one using the following:
    1. "v=spf1 include:spf.mtaroutes.com -all"

      ... where:

      • v=spf1 is the version of spf
      • include:spf.mtaroutes.com uses the SPF record on mtaroutes.com (the Mail Assure server)
      • -all means EXCLUDE everything else

    another example you can use is:

      "v=spf1 ip4:1.2.3.4 include:spf.mtaroutes.com include:yourdomain.com -all"

      ... where you need to replace the ip4 entry with your mail server address.

  2. If you have multiple sending addresses, the following external links can be used for additional formatting and guidance:
  3. Open SPF - http://www.openspf.org/

    SPF wizard - https://www.spfwizard.net/

  4. Next you need to publish the TXT record to the authoritative DNS server for your domain. This step will differ from each domain provider. If assistance is required contact your provider.
  5. Depending on your domain's current Time to Live (TTL), this may take up to 24 hours to propagate.

If SPF checking is turned on in a domain's Filtering Settings, this causes a hard fail of SPF records that don't match - and the message is quarantined. You can control whether SPF/DKIM/DMARC are enabled in the Filtering Settings for a domain. You can also manage a list of domains and IP addresses with disabled SPF, DKIM and DMARC (see Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks).
SPF checking will prevent any targeted spoofs. If required, you will need to add any intentional spoofing to your SPF records or whitelist the sender (whitelisting the sender is a last resort as this can also be spoofed).
 
If you are using other sources for outbound filtering, you need to make sure you modify the SPF record appropriately. The above is only suitable if all outbound filtering is handled by Mail Assure.