§2024-10-01

To set up SPF (Sender Policy Framework) for a mail server, follow these steps:

v=spf1 include:_spf.google.com mx a:yushei.net a:mail.yushei.net ip4:59.126.118.189 ip4:59.126.118.193 ip4:59.126.118.194 ip4:192.168.0.0/16 ~all

  1. Understand SPF:

SPF is an email validation protocol that helps prevent email spoofing. It allows the domain owner to specify which mail servers are permitted to send emails on behalf of the domain.

  1. Create or Modify a DNS TXT Record:

You'll need to add an SPF record to your domain's DNS settings. This is done by adding a TXT record in your DNS zone file.

  1. Structure of SPF Record:

The SPF record is a simple text string that tells which servers can send mail on behalf of your domain. The format looks like this:

  1. Example SPF Record for a Mail Server:

If your mail server's IP address is 203.0.113.10 and you're sending mail through a third-party service like Gmail, your SPF record might look like this:

v=spf1 ip4:203.0.113.10 include:_spf.google.com -all

  1. Add the SPF Record to Your DNS:
  1. Test Your SPF Record:

Once the DNS changes propagate (which may take up to 24-48 hours), you can use tools to verify that the SPF record is set up correctly: - DNS Checker SPF - MXToolbox SPF Lookup: https://mxtoolbox.com/spf.aspx - Kitterman SPF Validator: http://www.kitterman.com/spf/validate.html

  1. Why include:_spf.google.com in you record

The inclusion of include:_spf.google.com in an SPF record is necessary if you are using Google services (such as Gmail or Google Workspace) to send emails on behalf of your domain.

Here's why it’s included:

7.1. Google as an Email Sender:

When your domain sends email through Google's mail servers (such as Gmail or Google Workspace), you need to authorize Google's servers to send emails on your behalf. If you don’t include Google's SPF, recipient mail servers may reject or mark the emails as spam because they cannot verify that Google's servers are authorized to send emails for your domain.

7.2. What include:_spf.google.com Does: The include:_spf.google.com part tells receiving mail servers to check Google's SPF record (located at _spf.google.com) to see which Google servers are allowed to send emails. Essentially, you're saying: "In addition to my own mail server, the servers listed by Google are also authorized to send emails on behalf of my domain."

Google's SPF record (_spf.google.com) currently authorizes multiple IP addresses and ranges used by Google for email delivery. By including it, you delegate part of the SPF checking process to Google's own SPF policies.

7.3. How It Works:

When an email is sent from your domain, the recipient's mail server checks your domain's SPF record. If it sees include:_spf.google.com, it fetches and evaluates Google's SPF record, allowing the email if it comes from an IP authorized by Google.

7.4. Why It’s Important:

If you're using Gmail or Google Workspace without this include, recipients may block your emails because their mail servers won’t recognize Google as an authorized sender. When to Include: You should include this only if you are sending email from Google services (Google Workspace, Gmail, etc.). If not, then there's no need to include it. Common Use Case: Domain Sending Email via Google Workspace: If your business or organization uses Google Workspace (formerly G Suite) for email, including include:_spf.google.com ensures that any email sent via Google's infrastructure on your domain's behalf is properly authenticated and delivered. If you aren't using Google for email but a different service (e.g., Microsoft 365, SendGrid, etc.), you'd include their SPF records instead.