One problem with emails is that it's easy to forge them, pretending - for instance - to be someone that you are not. Email authentication technology helps solve this issue by allowing antispam filters to verify the identity of those that are sending the message. The receiving server will look at the sender (the FROM address) and at the domain of the envelop sender (identified by the RETURN PATH header), and will contact the DNS server to confirm that its IP address is among those authorized by the sender.
If the email were sent by someone not authorized by the server, the IP address of the sending server would not match those specified by the sender, and the antispam filter could block the message or label it as SPAM. This technology, in other words, allows the receiving server to authenticate the sender.
SPF - or Sender Policy Framework (see the Wikipedia article) - is being used to authenticate emails by large providers such as Charter, Comcast, Earthlink, Juno/Netzero, Gmail, RoadRunner, Verizon, and others. With the advent of a new phishing-fighting technology called DMARC, which relies on SPF and DKIM authentication, SPF becomes even more important.
SenderID (see the Wikipedia article) - which is based on SPF and CallerID technology - is used by Aol, Bellsouth, Comcast, Hotmail, and others. Different providers use different ways to authenticate emails (other ways include DKIM and Domain Keys), and some use multiple methods. Some ISPs now automatically flag a message as SPAM when the sender cannot be authenticated (e.g. no list of IP addresses have been provided for SPF authentication).
SPF: detailed instructions and wizards are available at:
SenderID: more information and a Wizard to configure your SPF record for SenderID: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
DKIM (DomainKey Identified Mail): another email authentication method - based on public-key cryptography - used by Yahoo!, British Telecom, Gmail and others (Wikipedia article). All emails sent with MailUp are already, automatically signed with DKIM. Upon request we can implement an optional, client-specific DKIM signature.
Email authentication is used by more and more service providers. In Hotmail, for example, messages that cannot be verified with either SenderID or SPF are flagged with a question mark icon. GMAIL is already checking the SPF records and noting whether the test passed or not in the header of the message. More and more ISPs will use email authentication as an additional way to discriminate between SPAM and valid email messages.
A sender that successfully authenticates and does not send unsolicited messages will over time develop a reputation that will ensure high deliverability for their messages even if a message were to contain "red flags" (e.g. text that could be misinterpreted as spam).
Based on the above, you can see why implementing SPF and SenderID is and will be more and more important to ensure that your messages are delivered, and delivered to the Inbox.
There is no charge. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes. It is unlikely that your Web hosting provider will charge you for the service. If you are hosting a domain name with us, your domains are already, automatically configured for SPF authentication and no additional changes are needed.
Ask the Web hosting company, domain registrar, or network administrator that manages the sender's domain to make a change to the DNS (Domain Name System) records, as follows:
We would like to configure our domain for SPF authentication. Please add the following to the TXT record of our DNS:
v=spf1 ip4:184.108.40.206/21 include:musvc.com ~all
spf2.0/pra ip4:220.127.116.11/21 include:musvc.com ~all
If a record already exists, please update it with the IP ranges listed above.
To verify that the SPF record has been correctly configured, we suggest: http://www.kitterman.com/spf/validate.html
We use MailUp as our email platform and we found this information on :
We recommend - although it's not as important - that you add to the SPF record other IP or SMTP addresses that you use to send messages within your organization. For example: if company XYZ uses smtp.companyXYZ.com as the SMTP address to send their email, the record a:smtp.companyXYZ.com would be added to the SPF record. For more details, please see: http://spf.pobox.com/
There are different ways to accomplish this:
Including the domain or IP of the provider before "~all" (replace DOMAIN_NAME with the domain name or IP):
v=spf1 ip4:18.104.22.168/27 ip4:22.214.171.124/28 ip4:126.96.36.199/28 ip4:188.8.131.52/21 a mx include:DOMAIN_NAME ~all
Make sure that the provider has publisher their SPF record. Otherwise including the domain name in your SPF record becomes counterproductive. See the links at the bottom of this message for ways to find out a domain's SPF record.
Use the MX tag, which means "all the mx servers for this domain":
v=spf1 ip4:184.108.40.206/27 ip4:220.127.116.11/28 ip4:18.104.22.168/28 ip4:22.214.171.124/21 a mx a mx mx:DOMAIN_NAME.tld ~all
Do this only after verifying that the provider uses the same servers that receive email messages: the MX - or mail exchange - servers are definitely the servers that receive mail for a certain domain, but not necessarily the ones that are used for sending messages.
Use the least restrictive SPF record (?all):
v=spf1 ip4:126.96.36.199/27 ip4:188.8.131.52/28 ip4:184.108.40.206/28 ip4:220.127.116.11/21 a mx ?all
We typically recommend using the " ~all" configuration, which means that if an IP/host is not included in the ones specified, the server should further analyze the message (antispam filtering) before delivering the message. If you are positive that you are including all the IP addresses/hosts that you are sending email through, then you could use the more restrictive "-all" configuration, which means that the ones listed are the only IP addresses/hosts authorized to send your messages.
|-all||Fail||Fail all servers not listed here (recommended option)|
|~all||Soft fail||Give extra scrutiny to servers not listed here|
|?all||Neutral||Unsure whether e-mail infrastructure is secure|
|+all||Pass||There's no infrastructure security at all|
When john@companyXYZ.com sends a series of messages to Gmail users with MailUp, Gmail will query the DNS records for companyXYZ.com, and will find that the IP addresses used by Mailup are indeed authorized to send messages on behalf of companyXYZ.com
If you need more information or are unsure about how to configure alter your DNS records to include SPF authentication, please open a support ticket.
There are several free services that allow you to obtain the SPF records from the DNS of a given domain. This allows you to both verify that your own SPF record has been properly configured, and also to find out if the provider (e.g. SMTP server) that you may decide to list in your SPF record has published their SPF record or not (if not, do not include them in your SPF):
To check from the DOS prompt: