Step 3: Meet the SPF Record
The third step is to meet the Sender Policy Framework (SPF) record. This next step requires two critical skills: reading, and the courage not to panic when you see a real IP address. Don't worry, it's really not that bad. The SPF record is a text file stored in your DNS record. The syntax is here, but I'll offer what I did as a quick and easy starting point. I used the IPv4 and SoftFail "mechanisms." Let me explain.v=spf1 ip4:192.168.0.1/16 -all That says, "Here's my Sender Policy Framework version 1 statement, and if you get an e-mail from any IP address between 192.168.0.1 and 192.168.255.255, it probably came from someone at my domain. If it came from another IP address outside of that range, it probably did not come from someone at my domain and I'd be suspicious of it." The "It may be me anyway" suggestion is called the SoftFail, which is the "-all" command. Sort of a hedge if you are new to this and a little unsure. Worked for me. Also, don't be tempted to use the "Include" mechanism. It looks like a shortcut, but probably won't work - which is a warning they themselves give you. I tried it anyway, of course. They were right. Step 4: Find Your IP Ranges for Every SMTP Your Employees Use The fourth step is to find your IP ranges for every SMTP your employees use where the "@yourdomain.com" is in the "From" line. And I do mean everywhere: home, on the road, BlackBerry, etc. Everywhere. Our associates all log in remotely, and always send e-mail from office desktops. So all I had was EarthLink at the office, Cablevision at home (just for me), and my BlackBerry. If, like me, you're not great at reading message headers, here is a neat cheat to find your sending SMTP IP addresses: From the e-mail SMTP account you want to authorize, send an e-mail to firstname.lastname@example.org. Delivery will fail but don't worry, that's how it works. You will receive a distinctly user-unfriendly response e-mail with the subject line of "Delivery Notification: Delivery has failed." In fact, even when you do have Sender Authentication properly working, you still get that scary-sounding subject line. The e-mail itself is very helpful though. Sift through it and you will see something like this: SPF Tests: Mail-From Result="none": Mail From="email@example.com" ... Remote IP="220.127.116.11" Two cool things here. First, this is one of your SPF test tools. Eventually you will see Mail-From Result="pass." Second, this is an easy way to see the IP address from which you are sending, shown as Remote IP="xxx.xxx.x.xxx". That is information you will need to know. If you want to check against message headers, send yourself an e-mail and look at the "message source." Remember, you have to read them bottom up, and the first IP address above the message (where you see your machine name) is the IP address of your desktop - not the SMTP sender. The next one up should have the name of your SMTP provider and the IP address you want. More about reading headers can be found by clicking on this link. You're not done, though. You want to be sure you have all possible IP addresses for your host SMTP. So I used this IP lookup tool to query my sending IPs. That returned the range of servers at Earthlink: 18.104.22.168 through 22.214.171.124. An SPF record using the IPv4 command covering that range, including SoftFail, is: v=spf1 ip4:126.96.36.199/16 ~all IMPORTANT: You have to repeat this step for everywhere any of your employees sends legitimate company e-mail, and where the "From" address is shown as: firstname.lastname@example.org.
Here's an example of an SPF record that would work using IPv4 and SoftFail: