How can I create an SPF record for my domain?

  • Applies to: Grid
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: All DV
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: (ve)
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: WordPress Hosting
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access


Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting spam on the Internet. An SPF record is a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

The authoritative source for this information can be found here:


Your domain must be using (mt) nameservers:


For information on how to confirm this for your domain, see this article: Performing a WHOIS search.


This article is provided as a courtesy. Installing, configuring, and troubleshooting custom DNS settings is not supported by (mt) Media Temple. Please take a moment to review our Statement of Support.


Watch this video to learn how to create an SPF record.

Example record

As a courtesy, we've come up with a generic SPF record that should work quite effectively for you.

v=spf1 -all

Be sure to replace with your server's IP address.

v=spf1 a mx -all


If you send email through your mail servers at Media Temple and also through another mail server (such as your ISP's mail server in the case of restricted port 25 access), you can add an "include:" mechanism in your SPF record to include the SPF records for the servers you use. For example:

v=spf1 -all

The above would work if your domain name is and you also send mail through's mail servers.

Before including your ISP in this manner, you must make sure that the domain you provide also has an SPF record set up. You can check this at, or other third-party services by doing a DNS lookup for TXT. If you are using Google Apps for your domain, please see the following guide at


  1. Log into your Account Center.
  2. Click on the domain you wish to add the SPF to.


  3. Click the Edit DNS Zone File option under the DNS & Zone Files menu.

    Edit DNS Zone File

  4. Click + Add Row to create a new record. Set the type to TXT and enter your SPF record in the right column.

    SPF Record

    v=spf1 -all

    Be sure to replace with your server's IP address.

    v=spf1 a mx -all
  5. Click Save to commit the changes.

You can also use this SPF wizard:

Stop receiving spoofed emails and bouncebacks

Spamming with a fake reply-to address (yours) is called "spoofing." Since the email appears to be coming from your server, complaints and bouncebacks from the spam will often be redirected to your server, rather than the actual spammer. You may also receive some of the original spam - spam that appears to be coming from you!

Adding an SPF record to your zone file is the best way to stop spammers from using this technique with your domain. An SPF record will eliminate a high proportion of the bouncebacks you've been getting, because other mail providers will reject the email immediately without sending a bounceback to the (spoofed) reply-to address. While the SPF record is not 100% effective, because not all mail providers check for it, you should notice a drastic decrease in the amount of bouncebacks you receive.

If you are also receiving the original spoofed emails (that look like spam coming from yourself) you can add the spammer to your block list. You will need to look at the header from one of the spam emails. Look for the very last line that starts with Received. You want to check for the IP address or domain that the message is coming from, not to or received by. Add this IP or domain to your block list in your spam filter.

If you look at your header and find out that the spam actually is coming from your own server, you should proceed to our Security Resources article, as this may indicate a compromise.

Activate incoming mail SPF filtration on DV


Enable incoming SPF Filtration

Your DV can be set up to accept messages only from senders that can pass varying degrees of SPF verification. This is useful for avoiding large amounts of unsolicited error messages, spam from forged email addresses, and other auto-reply clutter.

  1. Navigate to the Server Management - Tools & Settings area of Plesk


  2. Access your Mail Server Settings from the Mail menu.


  3. Enable the option Switch on SPF spam protection.
      From this point, you can choose between a few different types of SPF checking modes.
      Here is a bit more info on the different SPF filtration options:
  • The Only create Received-SPF headers, never block option will accept all incoming messages regardless of SPF check results.
  • The Use temporary error notices when you have DNS lookup problems option will accept all incoming messages, regardless of SPF check results. It will send an error notice if an SPF check failed due to DNS lookup problems.
  • The option
Reject mail when SPF resolves to "fail" (deny)
    (deny) will reject messages from senders who are not authorized to use the domain in question. This would be a good option to use if you are noticing large amounts of spoofing spam.
  • The option Reject mail when SPF resolves to "fail" (deny) will reject the messages that are most likely from senders who are not authorized to use the domain in question. This is a bit more strict, and may not be necessary to activate. We recommend allowing some time with a less strict setting to see if that resolves the issue first.
  • To reject the messages from senders who cannot be identified by the SPF system as authorized or not authorized because the domain has no SPF records published, choose the option Reject mail when SPF resolves to neutral. This setting is not usually recommended, as not all domains have SPF records, and you may miss traffic from legitimate sources.
  • To reject the messages that do not pass SPF check for any reason (for example, when sender's domain does not implement SPF and SPF checking returns the "unknown" status), select the option Reject mail when SPF does not resolve to "fail" (deny). This strictness level is not usually recommended.
  • If you need to specify additional rules that are applied by the spam filter before the SPF check is actually done by the mail server, type the rules you need in the SPF local rules box. While configuration on this level is outside of what (mt) Media Temple supports, for more information on SPF rules visit:
  • To specify the rules that are applied to domains that do not publish SPF records, type the rules into the SPF guess rules box.
  • If you'd like to specify a notice that is returned to the sender when a message is rejected for failing SPF, type it into the SPF explanation text box. If nothing is specified, the default bounceback error text will be used for notification.
  • To save your changes, click OK at the bottom of the menu.
  • cPanel

    cPanel provides a simple interface for generating an SPF for outgoing mail protection. These steps must be completed for each domain that you would like to enable protection. 

    For SPF records

    1. Log into cPanel and select Authentication from the email menu. 


    2. Scroll down to the SPF section and click Enable


    3. Scroll to the bottom and apply your new settings by clicking Update

    To enable DKIM protection for incoming mail, repeat these steps but select DKIM. 

    Alternate/Additional Domains

    If you'd like to set up SPF records for an Alternate Domain, please make sure that you are adding the TXT record to the proper zone. The SPF record for does not belong in's DNS zone listing, but rather in the DNS zone of that same domain. This must be done for each domain you'd like to use SPF on as well. Simply setting it up for just the primary domain of your server will not have any impact on the SPF status of your other domain names on that same server.