The SPF (Sender Policy Framework) Record allows the domain owner to designate the servers (IP addresses) that are allowed to send email from that domain.
SPF restricts the envelope sender, not the domain in the header of the letter.
To limit forgery of the header, DMARC policy must be activated.
When SPF is activated in Zone, a TXT record is added to the DNS records which allows email to be sent from all Zone servers: Outgoing email (SMTP), webmail, mailing lists and web servers.
Additionally, sending email from our servers with correct A or MX records is allowed by default. Sending email from other servers (e.g. MailChimp, Smaily) is not allowed.
You can manually add the required TXT records for other mail service providers via self-service by using their given instructions.
SPF can be activated by navigating to server management: “E-mail” -> “DKIM / SPF / DMARC”.
By default the added SPF Record is:
domeen.ee. 3600 IN TXT "v=spf1 a mx include:_spf.zone.eu -all"
include:_spf.zone.eu means that sending is allowed from all Zone IPv4 and IPv6 addresses. This ensures that when sending out emails from Zone servers, the SPF Record is always correct.
An SPF entry can have four different qualifications. This determines how strict the SPF Record is. These are:
+ or PASS (allowed). This is not important, for example +MX is the same as regular MX.
? or NEUTRAL. This is essentially the same as none (deactivated).
~ (tilde) or SOFTFAIL. This means that emails do not need to be rejected, but should be marked as spam.
– (minus) or FAIL. With minus rules, mail servers should not accept mail. However, since some servers misdirect emails, which can break the SPF record and emails may not reach the intended recipient, most servers will still accept emails even with the -all policy. Such mail will be marked or moved to the spam folder. This is the default setting for Zone.
If you want to make the SPF more lenient, you need to change the -all at the end of the record to ~all.
| Zone | include:_spf.zone.eu |
| Google GSuite | include:_spf.google.com |
| Microsoft Outlook.com | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| Mandrill | include:spf.mandrillapp.com |
| Sendgrid | include:sendgrid.net |
| Smaily | include:_spf.smaily.com |
| Amazon SES | include:amazonses.com |
| Zendesk | include:mail.zendesk.com |
| Mailgun | include:mailgun.org |
| Mailjet | include:spf.mailjet.com |
| SMTP2go | include:spf.smtp2go.com |
| Directo ERP | a:directo.gate.ee |
| Excellent Standard Book | a:smtp2.excellent.ee |
| Telia MLX | _spf.mlxplus.com |
| mail.neti.ee | include:_netblocks.neti.ee |
| veebimajutus.ee / Elkdata | include:mail.spf.elkdata.ee |
| Radicenter | include:_spf.radicenter.eu |
For example, if you use Zone for your email, MailChimp for your newsletters and Directo for your accounting software, you should create the following SPF Record:
v=spf1 a mx include:_spf.zone.eu include:servers.mcsv.net a:directo.gate.ee -all
The SPF Record can also be manually managed from server management, “DNS server” -> “TXT”. If only have a domain with us then the SPF Record can be configured via domain management by selecting “DNS Records”.
You can check the functionality of an SPF record by using the MXToolbox tool. Type in the desired domain name in the “Domain Name” field and click “SPF Record lookup”.