Sender Policy Framework
Sender Policy Framework/ SPF is an Email validation system, to find out spoofed/ forged emails using a specific SPF record published for the domain with the details of hosts, that are permitted by the domain's administrators.
Note
The Sender Policy Framework (SPF) configuration settings in the NICeMail Admin Console will be accessible only to users with the Administrator role.
About SPF Records
Sender Policy Framework/ SPF Records is a type of DNS record published in the domain's DNS that identifies the email servers that are permitted to send emails using the particular domain name. The main purpose of SPF records is to help the recipient email server identify the spam emails, sent using your domain name by spoofing/ forging the From email addresses.
The purpose of an SPF record is to detect Email Backscatter thereby preventing spammers from sending messages with forged From addresses on your domain. The SPF protocol is one of the standard validations to fight against spam and also enable secure email communication. Additionally, it is also a part of DMARC specification.
Configure SPF Records for NICeMail
When you send an email using you@yourdomain.com from NICeMail, the recipient servers refer the SPF records to check if the email sent from NICeMail is genuine. Some email servers reject the emails if there is a mismatch or if there are no valid SPF records for your domain. Generally, you can publish the SPF records as TXT records in the DNS Providers (Domain Registrars/ DNS Managers).
The Valid SPF records that need to be published are provided below:
v=spf1 include:mgovcloud.in -all
The usage of -all indicates that no other email server other than mgovcloud.in will be used to send emails using the specified domain. You can also publish the SPF record that uses ~all instead of -all. This represents soft-fail in case the domain uses other email servers to send emails using the same domain name.
There should be only a single SPF record for the domain. In this spf record, the mgovcloud.in is a hostname, which includes a huge set of IP Addresses that our service uses to send emails. In case you use any other third party service or internal email servers to send emails, refer here.
Steps to add SPF TXT record in domain managers:
- Login to your DNS Manager where your domain's name server is pointed.
- Select the My Account menu and choose Domains.
- Expand Domains and click the Manage DNS button for the domain you want to verify.
- The DNS Manager page will open with information about existing DNS records.
- Scroll down to the Records section and click the Add button to add a DNS record
- Select TXT from the Type drop-down menu.
- In the Host field, specify @.
- In the TXT Value field, enter v=spf1 include:mgovcloud.in ~all
- Click Save.
In case you are using only NICeMail to send emails, remove all the other SPF record types from the DNS. Click 'Save Changes' again to save all the changes. Having multiple SPF records will interrupt the SPF check and hence the SPF validation may fail and the emails will end up as Spam in the recipient servers.
SPF Verification
You can check the SPF records for all the domains you have in the Organization from the Domains section under Email Configuration menu for the respective domain.
Steps to verify SPF Status for Domains:
- Login to https://mailadmin.mgovcloud.in.
- Select the Domains section from the left pane.
- All the domains in the organization will be listed.
- Select the domain for which you'd like to verify the SPF record.
- Go to Email Configuration, select SPF from the dropdown, and click Verify SPF Record.
- Click Verify across each domain to validate the SPF records for the domain.
Using additional entries instead of multiple SPF Records
Multiple SPF records are invalid according to the Sender Policy Framework. Every domain should have a single SPF record, including all the servers that the domain uses to send emails.
When you add multiple TXT records of type SPF, it causes an interruption in the email delivery and your emails may end up being classified as Spam. As per the RFC Specifications for SPF records, a domain should not have multiple SPF records and this will cause the validation to select more than one record.
In case you need to use multiple email servers for your domain, you can update the details in the same SPF record instead of multiple entries.
Other IP Address and NICeMail
If you send emails from your multiple services with IP4 address, IP6 Address and a host name the Syntax of SPF record is as explained below.
Example: If you send emails from your webhost, whose IP4 address is 192.168.20.25, from another automated server with IP6 range ip6:1080::8:800:68.0.3.1/96 and NICeMail, the SPF record should be added like below:
v=spf1 ip4:192.168.20.25 ip6:1080::8:800:68.0.3.1/96 include:mgovcloud.in ~all
Incorrect Records | Correct Records |
---|---|
v=spf1 ip4:192.168.20.25 ~all v=spf1 ip6:1080::8:800:68.0.3.1/96 ~all v=spf1 include:mgovcloud.in ~all | v=spf1 ip4:192.168.20.25 ip6:1080::8:800:68.0.3.1/96 include:mgovcloud.in ~all |
Other Host Names and NICeMail
Having multiple records with multiple records v=spf1 include:abc.com v=spf1 include:def.com is invalid as per the RFC specifications. In that case you need to add the SPF record in the format below:
v=spf1 include:abc.com include:def.com include:mgovcloud.in ~all.
Incorrect Records | Correct Records |
---|---|
v=spf1 include:abc.com ~all v=spf1 include:def.com ~all v=spf1 include:mgovcloud.in ~all | v=spf1 include:abc.com include:def.com include:mgovcloud.in ~all |
Troubleshooting SPF Record Addition
DNS Provider - Registrar conflict
When you register the domain with one provider, but point the Nameservers to another provider, then the TXT Record added in your Domain Registrar to configure SPF is not considered valid. You might have changed the DNS Provider for hosting your website or for your previous email provider configuration or based on your choice.
The TXT Records added in the provider where the Nameservers are pointed will only be effective and valid. Hence, do a NameServer Lookup for your domain, to check where your domain is hosted. You may also check with your Domain Registrar or the technical contact for your domain on where the name servers are pointed to, if you are not sure.
Longer TTL
TTL (Time To Live) is the time specified in your DNS for each change in your DNS to be effective. If you have a huge TTL value (24 hrs/ 48 hrs), then the TXT Record might not be provided during the verification process. It might take up to 12 - 24 hours for DNS changes to take effect, based on the TTL set. Please check the TTL value using the DNS checker tool and try verifying after a while.
Typos/ Spelling Mistakes
Ensure that the TXT Record value that you enter while configuring SPF is in accordance with the value specified in this help page.