SPF is a system which authenticates IP adresses and reverse lookup domain names of SMTP clients which are allowed to send email for a given domain. So you have to make sure your SPF record contains all IP addresses or ranges that might be used to send mail on your behalf. For example your home IP address, your webserver IP address if you are sending mails from it and probably the IP addresses of the relayhosts of your ISP.

You can use the SPF wizard at [openspf.org...] to generate your own SPF record.

But what if my ISP uses dynamic IP which changes everyday?

You say I can set a range so could I set something like 86-88.nnn.nnn.nnn?

BTW, is there a noddy guide to SPF? I read the guide and tried to use the wizard on the openspf.org site but it's a bit too techie to understand.

[edited by: Frank_Rizzo at 9:33 am (utc) on Sep. 27, 2006]

I think you are misunderstanding how SPF is used. It has nothing to do with email addresses. A server using SPF to validate your mail doesn't care if it comes from "admin" or "info".

What it does care about is the IP address of the server where the mail originated. Note I say the SERVER where the mail originated. It doesn't care about the IP address of your workstation or of your webserver. (Caveat on the latter - unless your SMTP server is running on the same IP address.)

When you send mail from your PC, you are NOT sending it directly to the destination. You are sending it to an SMTP server typically located at your ISP. The SMTP server then delivers it on your behalf. THIS is the address that you need to list in your SPF record.

(Note that many email clients CAN bypass SMTP and deliver directly to the destination. However, this is NOT a common default set-up, and in most cases will NOT WORK because many ISPs block port 25 going anywhere but their relay server, and because broadband and dialup IP addresses are on spam blacklists.)

You'll also need to determine the IP address (or name) of the SMTP server used to send mail from your website.

You list these two addresses in your SPF record. This says these are the two legitimate places where your mail could originate. Mail from anywhere else will be discarded.

Some ISPs will discard ANY mail if there is no SPF record - which is a good reason to set-up an SPF record!

Ok, let's deal with this one at a time :-)

Email Client
------------
I use thunderbird to send mail for info@widgets.co.uk this mail is sent via my ISP myisp.co.uk

I have it setup that myisp allows me to send mail from widgets.co.uk (a year ago had to request this facility from myisp).

I send a test message to one of my test / free_acme accounts. Here's the header received.

--------------------------------------

Return-Path: <info@widgets.co.uk>
Received: from mwinf1111.me.free_acme.com (mwinf1111.me.free_acme.com)
by mwinb3002 (SMTP Server) with LMTP; Wed, 27 Sep 2006 20:51:57 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: test@mytest.free_acme.co.uk
Received: from me-free_acme.net (localhost [127.0.0.1])
by mwinf111.me.free_acme.com (SMTP Server) with ESMTP id 456631C00BED
for <test@mytest.free_acme.co.uk>; Wed, 27 Sep 2006 20:51:57 +0200 (CEST)
Received: from abc123.myisp.com (abc123.myisp.com [194.nnn.nnn.nnn])
by mwinf111.me.free_acme.com (SMTP Server) with ESMTP id 2E53E1C00BE7
for <test@mytest.free_acme.co.uk>; Wed, 27 Sep 2006 20:51:57 +0200 (CEST)
X-ME-UUID: 20060927185157189.2E53E1C00BE7@mwinf111.me.free_acme.com
Received: from [86.nnn.nnn.nnn] (host86-nnn-nnn-nnn.range86-142.myisp.com [86.nnn.nnn.nn])
by abc123.myisp.com (MOS 3.7.4b-GA)
with ESMTP id BCX97395;
Wed, 27 Sep 2006 19:46:29 +0100 (BST)
Message-ID: <451AC855.8030702@widgers.co.uk>
Date: Wed, 27 Sep 2006 19:52:05 +0100
From: Flatstats <info@widgets.co.uk>
Reply-To: info@widgets.co.uk
Organization: widgets.co.uk
User-Agent: Thunderbird 1.5.0.4 (Windows/20060506)
MIME-Version: 1.0
To: test@mytest.free_acme.co.uk
Subject: test
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-me-spamlevel: not-spam
X-me-spamrating: 0.497187
X-Antivirus: AVG for E-mail 7.1.407 [268.12.9/457]

--------------------------------

client email (website): info@widgets.co.uk
client PC ISP: myisp
receiving ISP: free_acme

So I guess I need to add the IP of myisp to the spf record. I presume this is: abc123.myisp.com [194.nnn.nnn.nnn]. But does this IP change?

[edited by: Frank_Rizzo at 7:06 pm (utc) on Sep. 27, 2006]

Here's the test sent from the server:

-------------------------

Return-Path: <info@widgets.co.uk>
Received: from mwinf1111.me.free_acme.com (mwinf1111.me.free_acme.com)
by mwinb3002 (SMTP Server) with LMTP; Wed, 27 Sep 2006 20:53:25 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: test2@mytest.free_acme.co.uk
Received: from me-free_acme.net (localhost [127.0.0.1])
by mwinf1111.me.free_acme.com (SMTP Server) with ESMTP id B9B031C00C1D
for <test2@mytest.free_acme.co.uk>; Wed, 27 Sep 2006 20:53:25 +0200 (CEST)
Received: from widgets.co.uk (unknown [85.nnn.nnn.nnn])
by mwinf1111.me.free_acme.com (SMTP Server) with ESMTP id AC13F1C00C10
for <test2@mytest.free_acme.co.uk>; Wed, 27 Sep 2006 20:53:25 +0200 (CEST)
X-ME-UUID: 20060927185325705.AC13F1C00C10@mwinf1111.me.free_acme.com
Received: by widgets.co.uk (Postfix, from userid 500)
id 11FCFA50132; Wed, 27 Sep 2006 19:53:24 +0100 (BST)
To: test2@mytest.free_acme.co.uk
Subject: test
Message-Id: <20060927185325.11FCFA50132@widgets.co.uk>
Date: Wed, 27 Sep 2006 19:53:24 +0100 (BST)
From: info@widgets.co.uk (widgets)
X-me-spamlevel: not-spam
X-me-spamrating: 53.570959
X-Antivirus: AVG for E-mail 7.1.407 [268.12.9/457]

-----------------------

This time I just add the IP of the server which the mail is running on: 85.nnn.nnn.nnn

BTW, why does it say unknown? Should that be corrected?

Received: from widgets.co.uk (unknown [85.nnn.nnn.nnn])

abc123.myisp.com and widgets.co.uk are the server addresses that need to be put in your SPF record. There's no reason for these IP addresses to change, but that's irrelevant - you will be listing their domain names, not their IP addresses.

I ran the wizard on the spf site. This was generated:

"v=spf1 a mx include:myisp.com ~all"

---------------

Should widgets.co.uk be in there somewhere?

On the wizard it says:

Could mail from widgets.co.uk originate through servers belonging to some other domain? If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here.

For this I entered myisp.com and not abc123myisp.com.

I also ran the Microsoft SPF wizard and it generated this:

v=spf1 a mx mx:mail.widgets.co.uk +all

[edited by: Frank_Rizzo at 11:21 am (utc) on Sep. 28, 2006]

You should wind-up with something like this:

"v=spf1 a:widgets.co.uk include:myisp.com ~all"

This says:

- You may send mail through myisp.com. The "include" directive tells SPF to look at myisp.com's SPF record for details.

- You may send mail from the server at widgets.co.uk

- You don't send mail from any other server (~all)

That looks more like it. I'll give that a try.

Many thanks for your assistance.

dupl.

[edited by: Frank_Rizzo at 5:31 pm (utc) on Oct. 1, 2006]

How long does the DNS system take to update? I added the TXT string to my DNS control panel (third party service) which was accepted. But running an spf test says no spf record for site.

The DNS control panel looks like this:

NAME, TYPE, CONTENT
-------------------
@ A nnn.nnn.nnn.nnn
ftp CNAME widgets.co.uk
mail A nnn.nnn.nnn.nnn
spf TXT v=spf1 a:widgets.co.uk include:myisp.com ~all
www A nnn.nnn.nnn.nnn

I try a couple of spf queery tests and get back:

"No TXT records found for your domain."

I mailed the support for the DNS site but no reply after two days.

For the record I had a mistake with the

spf TXT ... line.

Googling found a list of DNS providers which allow spf TXT features. There was a specific anomaly with my DNS provider which mean that what I needed to do was add:

@ TXT v=spf1 a:widgets.co.uk include:myisp.com -all

-------

There is still a problem with the include:myisp.com. An spf queery returns:

evaluating...
Results - PermError SPF Permanent Error: No valid SPF record for included domain: myisp.com: include:myisp.com

[edited by: Frank_Rizzo at 8:19 pm (utc) on Oct. 1, 2006]

I was wondering about that "@" syntax...

Try with quotes:

@ TXT "v=spf1 a:widgets.co.uk include:myisp.com -all"

or alternately:

@ TXT "v=spf1 a mx include:myisp.com -all"

Jim

No valid SPF record for included domain: myisp.com: include:myisp.com

Sounds like your ISP doesn't have an SPF record. You should get on them about it, but in the mean time, you'll have to just add their SMTP server(s) explicitly, rather than relying on an include of their SPF record.

How long does the DNS system take to update?

On average, TTL/2. Maximum, TTL. TTL ("time to live") is a value that YOU set. (Unless you just let it default.) You are in complete control of "how long the DNS system takes to update".

It can be useful to make TTL smaller in advance of a known DNS change, then increase it once the change is live.