Phone Lines icon GFI Support Home

Articles in this section

See more

Creating an SPF DNS Record

Author: Vladyslav Velychko Updated

Overview

You may be receiving spam where the sender information is specified as your domain. In this case, the recommended solution would be to add an SPF record for your email domain. Sender Policy Framework is an open-source equivalent to Caller ID.

This will ensure that spammers won't spoof your email domain when sending email to your Kerio Connect. It will also prevent spoofing of your domain for messages sent to other email servers that perform lookups against the SPF record.

This article explains how the SPF records should be created and other relevant considerations for this scenario.

Diagnosis

Let us understand the scenario using an example, which will use the domain example.com. The outgoing Kerio Connect for this domain is mail.example.com, which resolves to 1.1.1.1 (dummy IP used for illustration purposes). We want that any email containing example.com in the From header and the SMTP envelope should be refused unless it was sent from 1.1.1.1.

This will require a special DNS configuration called a TXT record. Note that many DNS hosting providers may not support the configuration of such records. If you do not host your DNS, you will need to contact your DNS hosting provider (usually the domain registrar) to find out if they will support the configuration of TXT type DNS records.

Solution

Given an outgoing IP of 1.1.1.1 our SPF record would be created exactly this way:

SPF:

v=spf1 mx ip4:1.1.1.1 -all

If your server supports IPv6, the record can be modified to check the IPv6 address:

v=spf1 mx ip4:1.1.1.1 ip6:2a03:b0c0:2:d0::607:4001 -all

img63-mod.png

Note: for your email domain, replace the IP address with the outgoing IP address of your Kerio Connect.

In case you have multiple outgoing email servers for your domain, you can add them like this:
SPF: ip4:1.1.1.1 ip4:2.2.2.2

Important Considerations

If you have created your own SPF record using the SPFWizard, you will probably have ~all at the end of the line. You will need to change this to -all to force a hard failure, as Kerio Connect may not always block a soft fail (depending on your version). For more information, please refer to Changes In How Kerio Connect Handles SPF - SoftFail.

Users outside of your network won't be able to relay email through the outgoing SMTP server of their ISP if they are sending emails from the email domain configured with an SPF record. External users should always use the Kerio Connect hosting their email domain for sending outgoing email. Some service providers may block the SMTP protocol (TCP port 25). In this case, you may specify an additional port for the SMTP service.

Testing

You may verify your records using the following command:

dig txt example.com +short

img64-mod.png

Note: please replace the domain with your own Kerio Connect domain.

Alternatively, you can use the SPF checker from Scott Kitterman or Open-SPF email testers.

Back to top

Related articles