Portal Home > Knowledge Base > cPanel > SPF email authentication


SPF email authentication




SPF (Sender Policy Framework) is a validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the DNS records for that domain in the form of a specially formatted TXT record. Spam and phishing emails often use forged sender addresses and, because mail servers are designed to flag suspicious incoming mail, SPF is a good mechanism to validate that the incoming mail has indeed been sent from the genuine domain.

If you manage your domain's DNS on a nameserver that is configured on your server, you can add an SPF record for your domain in few ways.

In cPanel you can go to "Mail" > "Email Authentication" and, under the "SPF" section, click the "Enable" button if it's disabled. Once it's enabled, a TXT record will be created in the domain's DNS zone containing a basic SPF record. In the "Email Authentication" page you can further change the content of the SPF record by following the instructions in each section and it will result in changing the TXT record exactly the same as if you did it directly in the DNS record. In fact, if you kept the SPF section on this page in disabled status and went to create the SPF record in the DNS zone editor, the status would also change to enabled once that record has been created.

As mentioned, you can also create the SPF TXT record by going in cPanel to "Domains" > "Advanced DNS Zone Editor", and you can also create it in WHM > "DNS Functions" > "Edit DNS Zone". If you manage your domain's DNS on an external nameserver, you can of course add the SPF record there.

Wherever you add it, here are few examples that will explain the basics of what the TXT record may contain:

v=spf1 a mx ip4:11.22.33.44 ~all

The above example reflects the basic SPF record that cPanel may create with slight variations when you enable the SPF option in "Email Authentication".

The v=spf1 part is the standard opening that indicates the TXT record is for an SPF record.

"a" allows the IPs that the "A" records in the DNS zone point to, to send mail on behalf of this domain.

"mx" allows the IPs that the "MX" records in the DNS zone point to, to send mail on behalf of this domain.

ip4:11.22.33.44 is an example that allows a specific IP to send mail on behalf of this domain. If the IP was IPv6 it would have said for example ip6:3483:aa2::ee05:87:9259. A block of IPs can also be used, like this: ip4:11.22.33.44/55. cPanel usually adds the server's main IP (or the domain IP; depending on server configuration).

Because all the above examples are allowed, they can be preceded by "+" (meaning "pass"). cPanel usually attaches the "+" like this: v=spf1 +a +mx +ip4:11.22.33.44 ~all, but since the default qualifier is "+" it doesn't really matter if you add it or not to indicate pass.

The "~all" means soft fail all others (there's also the option to say "-all" which is the regular fail). In both cases it means don't allow any other host except the allowed ones to send mail on behalf of the domain.

You don't always have or need to use the cPanel default record as outlined above. The MX record IP and the A record IP of your domain are often the same, and you may just want to use:

v=spf1 ip4:11.22.33.44 ip4:55.66.77.88 ~all
to indicate that you allow the main server IP and the domain IP.

As mentioned in our article about Google Apps, you may want to allow also mail for example to be sent on behalf of your domain from all Google mail servers, so you might say:
v=spf1 include:_spf.google.com ip4:11.22.33.44 ip4:55.66.77.88 ~all
This will include all the allowed IPs in the current google.com SPF record.

Again, the above are only examples. You may add any host that you want to allow to send mail on behalf of your domain.



Also Read

Powered by WHMCompleteSolution