0

I have a web server with a community website on it, and 1 subdomain on another ip. I use Cloudflare, and made outlook.com handle my mail for me. However my web server also sends mail. For example, a registration mail, or an invoice. Currently I have my spf record set up as follows:

mydomain.com. IN TXT "v=spf1 include:hotmail.com ~all"

and my mx records point to the hotmail.com mail servers. However, mails send directly from the server seem to be marked as spam rather easily. Probably because the ~all is not a very safe thing to do. How to only include the mail I send? I was thinking of:

mydomain.com. IN TXT "v=spf1 ptr include:hotmail.com -all"

THe ptr record seems to require a correct ip lookup. However, the ip is obfuscated by cloudflare.

How to correctly set up the spf record with cloudflare?

Geert
  • 103
  • 2

2 Answers2

1

Include the IP address of the server sending the emails:

v=spf1 ip4:123.45.67.89 include:hotmail.com -all

The Cloudflare IP addresses is only used for delivering content over HTTP, emails will still be sent directly from your own server, so the IP is always the same. If you have a Host record pointing directly to your server you can use that instead:

v=spf1 a:server.domain.tld include:hostmail.com -all
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • 1
    This is a pretty imporant point - with cloudflare the IP resolved for the domain will not be the origin server that will send the email. – Mark Mar 22 '15 at 22:49
0

v=spf1 a include:hotmail.com -all

Using a will allow any A record to send email as you stated you have a www site and a subdomain.

Papa
  • 231
  • 1
  • 7
  • So the ptr is not necessary? v=spf1 include:hotmail.com a ptr -all – Geert Feb 20 '14 at 06:40
  • You can set this up with whoever hosts your servers. Most have a control panel to add reverse DNS. If not, contact them about it. – Papa Feb 20 '14 at 07:21
  • I can set my SPF records myself. I was just wondering why the ptr record is not necessary. does **a** already include **ptr**. When do i need the **ptr**? – Geert Feb 20 '14 at 10:57
  • In your case, the `PTR` doesn't work in your `SPF` entry cause you don't own the IP. Your hosting provider owns the IP and they have control over Reverse DNS records. `A` records don't cover `PTR` as it's a separate thing. When someone does a reverse lookup, they hit the IP of your server, not a domain name, and your hosts dish up the record themselves like this: IP x.x.x.x is mapped to www.domain.com. – Papa Feb 21 '14 at 05:16