Setting Up SPF and Sender ID in Google Apps

I use Google App for Your Domain for my email, both my personal email and as email for the websites I run. I decided it was finally time to set up Sender Policy Framework (SPF) records and Sender ID. For differences between SPF and Sender ID you can read this. While they aren’t the same, the syntax and similarities make the steps for setting up each identical for our purposes.

What is SPF? From the OpenSPF website:

Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain’s DNS zone, and when someone else’s mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain’s stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

What is Sender ID? From Microsoft’s Sender ID page:

The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail messages are sent

It’s important to note that while I have my own domains none of my servers send email, everything I send is from an email client. I don’t need to configure any other servers, just Google’s. So I can use Google’s instructions as the starting point for setting up the records. The important piece is: v=spf1 include:aspmx.googlemail.com ~all.

Google recommends using ~all which indicates a “soft fail” if the sender doesn’t match the record. This means the receiving service should apply extra scrutiny but not reject the email immediately. It’s up to the receiving service what the extra scrutiny is and some of my reading indicated some services (like Hotmail) are prone to reject soft fails. The most logical reason I read was that is someone isn’t confident enough in their settings to use a hard fail then the receiving service isn’t likely to trust anything other than a pass result. So I’ll be configuring a hard fail which is –all. (hard fail is a dash, soft fail is a tilde) I did use the soft fail during testing and you may want to do the same.

The Sender ID record is the same except for the policy statement at the beginning.

[Update July 14, 2012: As Terry pointed out in a comment, Google’s SPF record has changed to ” v=spf1 include:_spf.google.com -all”.]

My SPF record will be:

v=spf1 include:aspmx.googlemail.com -all

While my Sender ID record will be:

spf2.0/pra include:aspmx.googlemail.com -all

[Update July 14, 2012: It seems Sender ID is rarely used, mainly by Microsoft. The record listed here will be redirected but work, despite being technically wrong. See this.]

All that’s left is to add the records for the domain. The method varies by registrar. The SPF and Sender ID records get added as TXT records. Most of the domains I have in GAFYD use Slicehost DNS and they already have a good write-up on how to setup SPF records at Slicehost. I’ve added the procedures for some other registrars that I have access to.

After the SPF and Sender ID records have been added and allowed time to propagate you can use one of the testing tools to validate the records. I used the tester supplied by Port25 and sent an email to check-auth [at] verifier.port25.com. A response is returned with the results of the tests.

These procedures assume GAFYD is already configured to send and deliver mail for you. Google provides good documentation on how to do this and I wrote up how I setup Google App for My Domain back in August of 2007.

Adding SPF and Sender ID at GoDaddy

  1. Fire up Domain Manager and go to “Total DNS Control” for your domain.
  2. Click the “Add New SPF Record button under the TXT section.
  3. Select “an ISP or other mail provider” and click OK
  4. Click the Outsourced tab
  5. Type aspmx.googlemail.com into the text box for domains. Click the “Exclude all hosts not specified here” for a hard fail (-all). Click OK
  6. You’ll be asked to confirm the record that was generated. It should look like the SPF record I have above. Click OK to save the record.
  7. Now click the “Add New TXT Record” button to begin adding the Sender ID record.
  8. Type “@” (no quotes) into the TXT Name file
  9. Type (or paste) the Sender ID record into the “TXT Value” field.
  10. Change the TTL if you want, keep the value low for testing, you can change it from the default 1hr if you want. Click “OK” to save the record.
  11. Wait for the change to propagate. I my case I could test after a few minutes, but in some cases it can take awhile.

Adding SPF and Sender ID at Bluehost

Bluehost automatically adds SPF records that point to their servers but use the ?all mechanism. From Bluehost help:

We do allow customers to request custom TXT entries in order to help fight against spam.

So it appears you’ll have to open a support ticket and have them add the records. (I did not do this so I can’t confirm they’ll do it or if it works properly.)

Adding SPF and Sender ID at NameCheap and NameCheap FreeDNS

I believe these procedures should work but don’t have an email account that I can test with. FreeDNS is a service provided by NameCheap that allows you to manage DNS for domains registered elsewhere.

  1. Go the “Manage Domains” and either select “Your Domains” or “FreeDNS –> Hosted Domains” depending on which service you use. Then click on the Domain Name in the list. If the Domain is registered at NameCheap you’ll need to select “All Host Records” from the left menu bar. For FreeDNS you already see the All Host Records screen. From this point on the process is the same.
  2. Enter the information as shown below. The record is partially obscured due to its length, but it’s the same SPF and Send ID records we’ve been using.

NameCheapSPF

Once you save the settings you’re done.

Adding SPF and Sender ID at Enom

I believe these procedures should work but don’t have an email account that I can test with.

Enom provides a “Add SRV or SPF Record” button button I found that using this only allows the addition of one TXT record for the @ host. I found that both records could be added by simply typing them on the main screen. Use “@” as the host name (no quotes).

EnomSPF

You’re done once you click Save.

SPF and Sender ID at 1 & 1

It doesn’t appear SPF or Sender ID can be used for domains registered at 1 & 1. The DNS configuration is very limited and I found the following in their FAQ under “What is an SPF record?”

There is currently no implementation of these
policies planned for 1&1 domains.

If you need SPF on a domain registered at 1 & 1 it appears you’ll either need to transfer it or use a third party DNS service.

SPF and Sender ID at Moniker

I believe these procedures should work but don’t have an email account that I can test with.

  1. Log on and go to “My Domains”. Check the box next to the domain you want to manage and click the “IP” tab.
  2. Click on the domain name.
  3. Under “Add Zone Records” select TXT as the record type, enter @ as the host name and put in the spf or sender ID record for the address then click Add. Do this for both the Sender ID and SPF records.

Most hosts should use a process similar to one of the above.

I’d been holding off implementing SPF because I thought it would be a pain and cause problems. While looking into it I saw that Sender ID was easily implemented at the same time. In fact, because Sender ID will use the spf1 record is no spf2 record exists it’s recommended that Sender ID also be implemented at the same time (even if it’s only a record to say it’s not set up) because the spf1 record can cause problems with Sender ID. I previously linked to a detailed description of the differences which includes and explanation of why this is the same.

It’s also recommended that SPF records be added to domains that don’t send email. These records should indicate that the domain doesn’t send email in order to avoid it being spoofed by spammers.

SPF and Sender ID are complicated items but are easy to implement for someone like me who just uses GAFYD with desktop (or web) email clients.

7 thoughts on “Setting Up SPF and Sender ID in Google Apps”

  1. Read your post and i think its great. I was wondering if there is a way to set spf for a blog hosted at wordpress.com. I have not been able to find information on this anyway. Any help, if possible, would be greatly appreciated. Thanks.

    1. @Nitin – II don't think it's possible. It looks like they still require you to switch your domain to use their DNS servers. So any SPF record would have to be set up there. They only seem to provide an option to turn mail on or off. But I don't have a WordPress.com blog to check the actual setting on, just searched their help.

  2. After having used it awhile, can you confirm if whether a ~ (soft fail) or – (hard fail) works better?

    I just set this up for my domain on Dreamhost, which was pretty basic, but I was tripped up by being unsure what to indicate in the "sub-domain" field. It turns out you leave it blank – easy enough!

    Thanks for a most helpful post.

    1. @Daggett – I've been using a hard fail without having any issues. The impression I get is that some email recipient systems will see a hard fail as the sending system has more confidence in their security against spam and therefore they are more likely to accept. I've no idea if this is true or not but I decided to err on the side of being more strict with the hard fail and haven't had a problem.

  3. Thanks for this informative post and for taking the time to do writeups for all the different hosts. Really helpful!

  4. Note: Google’s SPF record is now:
    v=spf1 include:_spf.google.com -all
    Changed from: v=spf1 include:aspmx.googlemail.com -all

Comments are closed.