Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to properly set up DNS SPF records?

I'm sending weekly emails to subscribers and it turns out that messages are frequently going to the spam folder for users.

I'm utilizing Amazon SES to send these messages and have added an SPF record according to their instructions: http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPFSenderIDDKIM.html?r=3917

In querying the SPF records for my domain I get the following back from http://www.kitterman.com/spf/validate.html:

SPF record lookup and validation for: mydomain.tld  SPF records are primarily published in DNS as TXT records.  The TXT records found for your domain are:   SPF records should also be published in DNS as type SPF records. Type SPF records found for the domain are:   Checking to see if there is a valid SPF record.   Found v=spf1 record for mydomain.tld:  v=spf1 include:amazonses.com ?all   evaluating... Results - record processed without error.  The result of the test (this should be the default result of your record) was, none . The explanation returned was, 

For my CloudFlare DNS records I have:

SPF  mydomain.tld   v=spf1 include:amazonses.com ?all   with automatic TTL TXT  mydomain.tld   spf2.0/pra include:amazonses.com ?all   with automatic TTL 

The emails are being sent from "[email protected]" and "[email protected]".

Some users have reported seeing the following message: "Messages that falsely appear to be a "bounced message" response (a system-generated email that you might automatically get after sending a message that can't be delivered such as a message sent to an invalid email address)"

With my current sending solution I can't add a DKIM to the emails.

How can this be resolved so as to ameliorate any kind of receipt issues for our users?

like image 477
ylluminate Avatar asked Mar 20 '12 09:03

ylluminate


People also ask

What should I put in my SPF record?

If you're not sure what these services are, review Identify all email senders for your organization, in Before you set up SPF. Your SPF record should include a reference to Google Workspace, and to the domains and IP addresses of all servers or services that send mail for your domain.

How many SPF records can be placed in a DNS?

For SPF authentication to pass, all these conditions must be met: you have exactly 1 SPF record on your domain; the record's syntax is correct; the total number of DNS lookups can't exceed 10.


1 Answers

There are no valid TXT records for your domain (notice that the test doesn't return any, see below for a working example), which is caused by missing quotes around those TXT records you defined, as explained e.g. in Record Types Supported:

Unlike with most other record types, for TXT records the Data field is essentially free-form and may even include spaces. Please note: When entering a string that includes spaces, such as SPF records, you must enclose the string in double quotes; otherwise, individual words will be separately quoted and break up the record into multiple parts.

Here are the TXT records we currently use successfully for Amazon SES as per Authenticating Your Email Address and (it's indeed unfortunate that their documentation doesn't address the quoting needs):

"v=spf1 include:amazonses.com ~all" "spf2.0/pra include:amazonses.com ~all" 

Accordingly, here is our domain's abbreviated result for the test you have been running:

SPF record lookup and validation for: [...]  SPF records are primarily published in DNS as TXT records.  The TXT records found for your domain are: spf2.0/pra include:amazonses.com ~all  v=spf1 include:amazonses.com ~all   [...]  Checking to see if there is a valid SPF record.   Found v=spf1 record for services.marescom.net:  v=spf1 include:amazonses.com ~all  
like image 177
Steffen Opel Avatar answered Oct 09 '22 00:10

Steffen Opel