To prevent fraudulent senders/phishing abuse, you can create what are known as SPF records (sender policy framework) for a domain.
The SPF record of a domain defines which mail servers/IP addresses are allowed to send E-Mails from the particular sender domain. Hostpoint checks the incoming mail servers to see whether or not the criteria of this rule have been met.
How should i use SPF records?
Let’s take the example of the domain name your-own-domain.ch.
The DNS has the following SPF record for this domain:
"v=spf1 mx ip4:217.26.52.22/23 -all"
This record can have the type TXT or SPF.
This authorizes the mail server above in the subnet 217.26.52.22/23 to send E-Mails with your sender domain @your-own-domain.ch.
This authorization does not occur when the E-Mail is sent but, instead, when it is received by the recipient E-Mail server or, in other words, Hostpoint’s incoming mail server, for example.
This now checks whether the mail server that delivered the E-Mail is actually authorized to do so. In other words, the IP address of the mail server is compared with the IP address in the SPF record for the domain @your-own-domain.ch.
If there is a mismatch, this means that the mail server with this IP address that just attempted to deliver the E-Mail is not authorized to do so. The E-Mail is therefore rejected by Hostpoint because the actual SPF record clearly specifies that no others are permitted to send E-Mails («-all»).
A frequent problem with GMX
A well-known example of this happens with gmx.ch or gmx.net:
"v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 -all"
GMX wants its customers to use its own outgoing mail server to send E-Mails. If the customer uses an outgoing mail server other than that of GMX, the SPF check fails at the recipient’s end.
Here, too, the «-all» parameter unambiguously issues the instruction that no other mail servers are permitted to send E-Mails.
Hostpoint rejects the E-Mail in this case. For this reason, please use the outgoing mail server belonging to GMX to send E-Mails from your @gmx.ch or @gmx.net E-Mail accounts.
How can i ensure that the SPF check returns a positive result?
To ensure that your E-Mails are received by as many hosting providers as possible, we recommend using the outgoing mail server specified by your hosting provider.
Hostpoint customers should use these mail servers.
This will reduce the risk of the E-Mails being blocked by the recipient of your E-Mails due to a failed SPF check.
How can i view an SPF record?
There are various ways to view an SPF record, such as on this website: https://www.kitterman.com/spf/validate.html
or by entering the «dig» command:
dig spf your-own-domain.ch
dig txt your-own-domain.ch
How to read SPF records can be found here.
Problems with forwarders
Forwarders make the path that an E-Mail takes longer. In other words, the message takes a detour through the server set up for the forwarder.
For you, this means that a new mail server (i.e. the mail server set up as the forwarder) delivers the E-Mail instead of the sender’s outgoing mail server.
The problem with this scenario is that the check fails because the IP address of the forwarding server is not listed in the SPF record for the sender domain.
A concrete example:
Sender: | This email address is being protected from spambots. You need JavaScript enabled to view it. |
Recipient: | This email address is being protected from spambots. You need JavaScript enabled to view it. |
Forwarding to: | This email address is being protected from spambots. You need JavaScript enabled to view it. |
When the E-Mail arrives at Hostpoint, the sender is still an @gmx.ch address, but the mail server that wants to deliver the E-Mail is myhost.ch and does not comply with GMX's SPF record restrictions. In this case, the E-Mail is rejected by us.
What can I or my hosting provider do to resolve the forwarder problem?
We basically offer the following solution approaches:
- The SPF record is «relaxed», such as by replacing the qualifier «-ALL» with a different qualifier «~ALL» or additional mail servers are added to the record.
Problem: How do we know which recipients are using forwarders? It is virtually impossible to include all of these, and the effort involved with constant updating would be enormous. - The SPF record is disabled.
Problem: While this would certainly solve the problem, the record was originally set up to prevent phishing/abuse. Disabling the record would also eliminate this desired effect. - The forwarding mail server should modify the E-Mail by using the SRS (sender rewrite schema ).
This way, the check will be passed the next time an E-Mail is received.
As a hosting provider, Hostpoint uses the SRS solution.
You therefore do not have to deal with modifying your address yourself when we forward E-Mails for you. It is done automatically. However, this is only the case if the forwarder is set up with Hostpoint.
Are you a Hostpoint customer and would like to set up an SPF record for your domain?
Follow the instructions to add an SPF Record for your domain.
For support requests please use this form instead.