With a SPF (Sender Policy Framework) record you can indicate which IP addresses are allowed to send email for a domain. An SPF record is just a TXT record with a specific structure.
For a domain hosted by Savvii the SPF record could look like:
v=spf1 include:sites.savviihq.com mx ~all
Above text means the following in practice:
- v=spf1 is an indicator for the SPF version being used, for the time being this is always spf1
- mx means that if the domain has got MX records and one of these records points to the sending host. Then the message should be allowed through.
- include:sites.savviihq.com is an instruction to include the contents of the SPF TXT record sites.savviihq.com, meaning it follows the rules in that record as well
- ~all indicates a soft-fail if all of the other rules fail. Most mail servers will still allow the message to pass but they may be marked as spam.
include, mx and all are so-called 'mechanisms', here is a list of relevant mechanisms for your domain:
|ALL||ALL matches everything. Usually it's used at the end of a record as a catch-all for all of the rules that have failed.|
|A||A matches the IP address of the sender with the A and AAAA records for the domain.|
|IP4||ip4:192.0.2.234 matches if the sender has that given IP address. This can also be configured as a range by using CIDR notation (ex. ip4:192.0.2.0/24)|
|IP6||ip6:2001:db8::1 matches if the sender has that given IP address. This can also be configured as a range by using CIDR notation (ex. ip6:2001:db8::/32)|
|MX||MX matches the IP address of the sender with the MX records for the domain|
|INCLUDE||include:sites.savviihq.com references another SPF record and includes all of the rules contained within. However, if the included SPF rules fail processing of the rules in the main SPF record continues and those rules take precedence.|
Every mechanism can be combined with a qualifier. The qualifier indicates what a mail server should do if a rule matches
|+||If a matching mechanism has a + the messages gets a PASS result. By default any mechanism you add to your record implicitly has a +. For example 'a' and '+a' mean the same thing.|
|?||If a matching mechanism has a ? the message gets a NEUTRAL result, this is only for debugging because it doesn't determine whether the message should be failed or passed.|
|~||If a matching mechanism has a ~ the message gets a SOFTFAIL result. Most mail servers will allow the message but flag it as potential spam.|
|-||If a matching mechanism has a - the message gets a FAIL. According to specifications the mail server should bounce the message. This is usually used as a final rule in combination with the ALL mechanism as '-all' which means that if none of the rules PASS the message, block it.|
If you're hosting with Savvii, unless you've set your own mail services, your mail gets routed through Mailchannels. You could save 1 DNS lookup by including the mailchannels SPF record directly and bypassing ours completely:
v=spf1 include:relay.mailchannels.net ~all
If you do decide to use this optimization you will have to update your record again if we ever switch outgoing mail filters. Of course we will make sure to send out an update when this happens. With our include:sites.savvihq.com this won't be a problem but it does cause 1 extra lookup where the current SPF guidelines gives you a maximum of 10 lookups in total.