Configuring SPF for

As of last week, the domain is now configured with a Sender Policy Framework (SPF) DNS record. This is a special type of DNS record which identifies which mail servers are allowed to send mail on behalf of users.

The aim of SPF is to prevent the unauthorised impersonation of users, a tactic frequently used by spammers. In practice it is not reliable because it can cause problems for a number of legitimate use cases related to mail forwarding, including mailing lists. In fact, Google explicitly recommends configuring an SPF record for “soft” failure rather than hard failure because of these issues.

The record was easy to setup once I realised which servers I needed to include. I send mail from directly via, which is a CNAME to another system, and occasionally from Gmail’s web interface. Google have clear instructions on how to permission the latter but use of CNAMEs in SPF is discouraged to prevent receiving servers needing to perform an excessive number of DNS lookups so it is necessary to hardcode the name of the target of the CNAME. There is a risk the two can become out of sync but hopefully this is mitigated by the proximity of the two records in the BIND file. You can query the current record using your favourite DNS client but for the record the initial setup is:

; SPF record  IN TXT "v=spf1 mx ~all"

The result is that Gmail can now successfully authenticate me as a sender and for many users no longer shows a red question mark next to my name. Some experimentation has shown that the red question mark can still be present where I have emailed and he or she forwards to a Gmail account because is not authorised to send mail on behalf of This is actually the no worse than those users experienced prior to the configuration of the SPF record and some quick research turned up some forum posts that indicate there are potentially steps email forwarding services can do to mitigate this, although it was not clear whether the mitigation was feasible and/or effective.

Leave a Reply