How To Configure Zimbra SPF for Outgoing Emails?

SPF or Sender Policy Framework is an email authentication method that identifies which mail servers are allowed to send emails on behalf of your domain. I can forge an email header to pretend it has been sent from an address on your domain which is called a spoofing attack. SPF record contains information of only mail servers that are allowed to send emails on behalf of your domain and prevents spammers like me from spoofing your domain. It can be done by comparing the SPF record with the mail server information of the sender. If they don’t match, the email will be identified as unauthorized and will send it to spam or reject completely.

How to Configure SPF for Outgoing Emails

Configuring SPF for outgoing emails will increase the email reputation of your emails since the receiving server would be able to verify your email SPF record.

To set up SPF for outgoing emails you need first to create the SPF rule then add it to your DNS.

1. Create your SPF rule

  • Start with the SPF version, for example, v=spf1 for version 1.
  • Add all IP addresses that are authorized to send emails on your behalf, for example, v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
  • Include tag for every third-party organization that is used to send emails on your behalf, like include:thirdpartydomain.com, alternatively, ignore the include tag if there is no third-party organization.
  • End your rule with an ~all, -all, or +all tag. The -all tag means fail (servers that aren’t listed in the SPF record are not authorized to send emails). The ~all means softfail (If the email is received from a server that isn’t listed, the email be accepted but marked), the +all allows any server to send email from your domain (which should never be used).
    • For example, if you want only your cloud server (incoming mail exchange (MX)) and no other mail servers to be authorized your rule would be v=spf1 mx -all, if you want your cloud server and Microsoft Exchange Online mail server but no other mail servers to be authorized your rule would be v=spf1 include:spf.protection.outlook.com -all. If you are using external services like Mailchimp, Salesforce, Google Apps, etc. add them in the include part, for example, include:servers.mcsv.net for Mailchimp, include:_spf.salesforce.com for Salesforce include:_spf.google.com for Google Apps.

2. Add your SPF rule to the DNS

  • Access your DNS provider, for example, GoDaddy, Network Solutions, etc.
  • Access your DNS Management or something like name server management.
  • Add a new TXT entry.
  • Set the Record Type to TXT.
  • Insert @ in the Hostname field to map the record directly to your domain name.
  • Insert the created SPF rule in the TXT Value field.
  • Assign the Time to Live (TTL), for example, let’s use 3600s.
  • Save the entry.

How to Verify Your SPF

The next step would be testing your SPF to see if it works. To do so, please see How to Verify Your SPF Record.

Product marketing and technical writer at Zextras, an open-source and technology enthusiast who creates instructional and technical articles about Zextras and Zimbra.

Post your comment