Solution: Sender Policy Framework (SPF) records allow domain owners to specify which hosts are permitted to send email on behalf of their domains. Normal SMTP allows any computer to send an email on behalf of any domain. Thus, it's easy for spammers to send emails with forged From: addresses. SPF allows a domain owner to use a special format of DNS TXT records to specify which machines or hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.
For example, if you own the domain example.com, you can designate which hosts are authorized to send email originating from user@example.com. Your recipient's servers will then identify the origin of your message by checking the SPF record.
SPF outbound:
Setting up SPF DNS entries as follows will minimize non-deliveries through outbound. Use this if you ONLY send your outgoing messages via email security outbound services:
domain.com. IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 ip4:123.45.6.7 ~all"
You only need to enter one of the four IP ranges, depending on your system number or location. The 64.18.0.0/20 range is for customers in the US on systems 5, 6, 7, 8, and 20; the 74.125.148.0/22 range is for customers on systems 9, the 74.125.244.0/22 range is for customers on systems 10, while the 207 range is for customers on systems 20, 200, and 201 in the UK. You can find out your system number by examing the URL when logged into the Admin Console. For example on system 9, you'll see https://ac-s9.postini.com/... where s9 indicates the system number.
Example of a customer on system 9 using SPF for outbound in the US: example.com. IN TXT "v=spf1 ip4:74.125.148.0/22 ip4:123.45.6.7 ~all"
Note: 123.45.6.7 is a sample sender MTA ip address. Replace with the IP(s) for the sending servers.
SPF Inbound:
You do not need to make any configuration changes to your SPF settings for inbound traffic unless you are using SPF on your incoming mail traffic. In this case, add the following to your SPF record to allow notifications to be delivered:
domain.com. IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 include:spf.postini.com ~all"
Note: Publishing an SPF record that lacks include:spf.yourdomain.com or specifying -all instead of ~all may result in delivery problems.
SPF Inbound:
You do not need to make any configuration changes to your SPF settings for inbound traffic unless you are using SPF on your incoming mail traffic. In this case, add the following to your SPF record to allow notifications to be delivered:
domain.com. IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 include:spf.postini.com ~all"
Note: Publishing an SPF record that lacks include:spf.yourdomain.com or specifying -all instead of ~all may result in delivery problems.
Publishing an SPF record following the format described by the SPF wizard should have no impact on your inbound mail flow through the security service.
SPF Query Tool:
http://www.kitterman.com/spf/validate.html?