How to check whether a domain has a correctly set SPF record?

Created:

2016-11-16 12:39:09 UTC

Modified:

2017-06-26 06:36:45 UTC

39

Was this article helpful?


Have more questions?

Submit a request

How to check whether a domain has a correctly set SPF record?

Applicable to:

  • Plesk for Linux
  • Plesk

Question

How to check whether a domain has a correctly set SPF record?

Answer

The most simple solution is to use online tools like the following below:

http://mxtoolbox.com/spf.aspx

http://www.kitterman.com/spf/validate.html

http://www.openspf.org/Tools

To test it manually, connect to the Linux server or use Terminal(How to connect to a server using SSH/RDP):

  1. Try to query with a command provided by libspf2 library like as below:
    /usr/bin/spfquery_static -ip 10.20.30.40 -sender from@example.com -rcpt-to to@example.com
  2. A correctly set domain will print like this (using Google as an example):

    $ /usr/bin/spfquery_static -ip 66.102.13.18 -sender from@gmail.com -rcpt-to to@gmail.com
    pass
    spfquery: domain of gmail.com designates 66.102.13.18 as permitted sender
    Received-SPF: pass (spfquery: domain of gmail.com designates 66.102.13.18 as permitted sender) client-ip=66.102.13.18; envelope-from=from@gmail.com;
  3. A problematic domain looks more like this:

    $ /usr/bin/spfquery_static -ip 11.22.33.44 -sender from@example.com -rcpt-to to@gmail.com
    StartError
    Context: Failed to query MAIL-FROM
    ErrorCode: (26) DNS lookup failure
    Error: Temporary DNS failure for 'example.com'.
    EndError
    (invalid)neutral
    Please see http://www.openspf.org/Why?id=from%40example.com&ip=11.22.33.44&receiver=spfquery : Reason: default
    spfquery: 11.22.33.44 is neither permitted nor denied by domain of example.com
    Received-SPF: neutral (spfquery: 11.22.33.44 is neither permitted nor denied by domain of example.com) client-ip=11.22.33.44; envelope-from=from@example.com;
  4. To check that DNS server has information about SPF for domain example.com , use the dig utility:

    # dig -t TXT +short example.com @13.23.33.43
    "v=spf1 +a +mx -all +a:server.hostname.tld"

    where 13.23.33.43 IP address of the server.hostname.tld where DNS server is running.

Information

Note that the SPF information can be written in either TXT format or as a dedicated SPF record. The latter is also sometimes referred to as a "type99" record. The SPF information needs to be in at least one of these formats. If both are used, these records must be exact copies of each other. These records are served by the same DNS server that serves example.com domain name.

Library libspf2 performs an SPF check in the following order: - First, it queries the DNS server for an SPF record. - If it is not defined, it tries to query for TXT. - If both attempts fail, it means there is no SPF for this domain.

For more information check Plesk Documentation and Help Portal - Sender Policy Framework System (Linux)

Have more questions? Submit a request
Please sign in to leave a comment.