Hostpoint - Hilfe & Support > Help & Support > Products > E-Mail > Sender Policy Framework (SPF) and Sender Rewrite Schema (SRS)

Sender Policy Framework (SPF) and Sender Rewrite Schema (SRS)

To prevent fraudulent senders/phishing abuse, you can create what are known as sender policy framework (SPF) records for a domain. The SPF record of a domain defines which mail servers/IP addresses are allowed to send e-mails from the particular sender domain. Hostpoint checks the incoming mail servers to see whether or not the criteria of this rule have been met. 

How should i use SPF records?

Let’s take the example of the domain name your-domain.ch.

The DNS has the following SPF record for this domain: 

 "v=spf1 mx ip4:217.26.52.22/23 -all"

This record can have the type TXT or SPF.

This authorizes the mail server above in the subnet 217.26.52.22/23 to send e-mails with your sender domain @your-domain.ch.

This authorization does not occur when the e-mail is sent but, instead, when it is received by the recipient e-mail server or, in other words, Hostpoint’s incoming mail server, for example.

This now checks whether the mail server that delivered the e-mail is actually authorized to do so. In other words, the IP address of the mail server is compared with the IP address in the SPF record for the domain @your-domain.ch.

If there is a mismatch, this means that the mail server with this IP address that just attempted to deliver the e-mail is not authorized to do so. The e-mail is therefore rejected by Hostpoint because the actual SPF record clearly specifies that no others are permitted to send e-mails (‘-all’). 

A frequent problem with GMX

A well-known example of this happens with gmx.ch or gmx.net: 

"v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26  ip4:212.227.15.0/25
ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 -all"

GMX wants its customers to use its own outgoing mail server to send e-mails. If the customer uses an outgoing mail server other than that of GMX, the SPF check fails at the recipient’s end.

Here, too, the ‘-all’ parameter unambiguously issues the instruction that no other mail servers are permitted to send e-mails.

Hostpoint rejects the e-mail in this case. For this reason, please use the outgoing mail server belonging to GMX to send e-mails from your @gmx.ch or @gmx.net e-mail accounts. 

How can i ensure that the SPF check returns a positive result?

To ensure that your e-mails are received by as many hosting providers as possible, we recommend using the outgoing mail server specified by your hosting provider.

Hostpoint customers should use these mail servers.

This will reduce the risk of the e-mails being blocked by the recipient of your e-mails due to a failed SPF check. 

How can i view an SPF record?

There are various ways to view an SPF record, such as on this website:

or by entering the ‘dig’ command: 

dig spf your-own-domain.ch
dig txt your-own-domain.ch

Wie sich SPF-Records lesen lassen, finden Sie hier.

Problems with forwarders

Forwarders make the path that an e-mail takes longer. In other words, the message takes a detour through the server set up for the forwarder. For you, this means that a new mail server (i.e. the mail server set up as the forwarder) delivers the e-mail instead of the sender’s outgoing mail server. The problem with this scenario is that the check fails because the IP address of the forwarding server is not listed in the SPF record for the sender domain.

A concrete example: 

Sender: your.name@gmx.ch
Recipient: your.name@myhost.ch
Weiterleitung nach: your.name@my-hostpoint-domain.ch

Wenn das E-Mail bei Hostpoint ankommt, ist der Absender immer noch eine @gmx.ch-Adresse, der Mailserver der aber das E-Mail liefern möchte, ist myhost.ch und entspricht nicht den SPF-Record-Restriktionen von GMX. In diesem Fall wird das E-Mail bei uns abgelehnt.

What can I or my hosting provider do to resolve the forwarder problem?

We basically offer the following solution approaches:

  • The SPF record is “relaxed”, such as by replacing the qualifier ‘-ALL’ with a different qualifier ‘~ALL’ or additional mail servers are added to the record.
  • Problem: How do we know which recipients are using forwarders? It is virtually impossible to include all of these, and the effort involved with constant updating would be enormous.
  • The SPF record is disabled.
  • Problem: While this would certainly solve the problem, the record was originally set up to prevent phishing/abuse. Disabling the record would also eliminate this desired effect.
  • The forwarding mail server should modify the e-mail by using the sender rewrite schema (SRS). This way, the check will be passed the next time an e-mail is received.

As a hosting provider, Hostpoint uses the SRS solution. You therefore do not have to deal with modifying your address yourself when we forward e-mails for you. It is done automatically. However, this is only the case if the forwarder is set up with Hostpoint. 

I would like to create an SPF record for my own domain

Are you a Hostpoint customer and would like to set up an SPF record for your domain? We will be glad to help you with this.

Here is our SPF record: 

your-own-domain.ch. 300 IN TXT "v=spf1 redirect=spf.mail.hostpoint.ch"

Our support team will be happy to help you complete the procedure.

For questions regarding SPF and SRS, please contact our support team by e-mailing support@hostpoint.ch or calling 0844 04 04 04. 

You must to post a comment.
Last modified
02:04, 8 Mar 2016

Tags

Classifications

This page has no classifications.