Consolidating several SPF records into one

The specifications for SPF (Sender Policy Framework) require only one TXT record. If you already have a TXT record with SPF information set up for your domain name, you will need to customize it following specific syntax rules. Here are some basic mechanisms that may come in handy.


1. Allow any other domains/subdomains to send mail on behalf of your domain.

In order to add other domain names or hostnames that may send or relay mail for your domain, use the mechanism ‘a:’ and separate the list with spaces, for example:

"v=spf1 a:example.com a:sub.example.net -all"



In other words, if the example.com domain resolves into 1.2.3.4 and the subdomain sub.example.net into 5.6.7.8, it means that these IP addresses are allowed to send mail for your domain name.


2. Allow specific IP addresses to send mail on behalf of your domain.

If you need to authorize a list of IP addresses that can send mail for your domain name, use the mechanism ‘ip4’ and ‘ip6’ respectively and separate them with spaces, for example:

“v=spf1 ip4:64.233.167.99 ip6:1080::8:800:200C:417A -all"




IP addresses of the same class may be published with a slash, i.e., 192.168.1.14/32, like "v=spf1 ip4:192.168.1.0/38 ip6:1080::8:800:200C:417A/96 -all"





3. Allow a third-party service to handle mail for your domain.

If you send mail through a different domain name, e.g., your mail service company, you may pull in its SPF record using the mechanism ‘include’, for example:

"v=spf1 include:spf.mandrillapp.com include:spf.google.com -all"



4. Consolidating the Private Email SPF record with different services

If your domain name is configured with the Namecheap Private Email service and you would like to also use a service with the domain that comes with its own SPF record, it is required to consolidate both SPF records into one.

NOTE: Please note that if the domain name is set up with BasicDNS, FreeDNS, or PremiumDNS and has “Private Email” selected from the Mail settings on the Advanced DNS tab, the SPF record is configured automatically. Thus, it won’t be visible in the list of the DNS on the Advanced DNS page.
In this scenario, to add a consolidated SPF record you should create a new entry with the consolidated value.

The Private Email SPF record has the following value: "v=spf1 include:spf.privateemail.com ~all". As an example, we'll be taking our WordPress Hosting service which has the following SPF record: “v=spf1 include:spf.easywp.com ~all”.

If the domain name is already configured with the Private Email service, it is required to add the value of the Managed WordPress SPF record into the existing SPF record. Here is how the value should look like: "v=spf1 include:spf.privateemail.com include:spf.easywp.com ~all":



Now, for example, we will take our Private Email service and a third-party Mimecast service that provides email management features where the SPF record has a strict “all” mechanism: v=spf1 include:_netblocks.mimecast.com -all

Should we use “~all” or “-all” mechanism?
When an SPF record includes ~all (soft fail qualifier), receiving servers typically accept messages from senders that aren't in your SPF record, but mark them as suspicious. When an SPF record includes -all (fail qualifier), receiving servers may reject messages from senders that aren't in your SPF record.

The combined SPF record will be: v=spf1 include:spf.privateemail.com include:_netblocks.mimecast.com-all




That's it!

If you have any questions, feel free to contact our Support Team.

Updated
Viewed
44259 times

Need help? We're always here for you.

notmyip