Google Apps Domain Create SPF Records For BIND or Djbdns

in Categories , last updated October 22, 2010

I work for a small business and outsourced our email hosting to Google. However, I noticed that spammers are using our From: First Last to send their spam messages. All bounced messages come to our catch only account. How do I stop this? How do I validate our domain using SPF? How do I configure a SPF for Google Apps domain using BIND 9 or djbdns?

You must create a Sender Policy Framework (SPF) recored for all your domains which are used to send emails. An SPF can identifies which mail servers are permitted to send email on behalf of your domain. This is used to prevent spammers from sending messages with forged From addresses at your domain such as, where foo is not a valid username. In this example, spammers use to send spam to When my mail server receives a message from, it will check the SPF record for to find out if it is a valid message or not. If the message comes from a server other than the mail servers listed in the SPF record, than my mail server can reject it as spam or mark as spam.

Sample Setup can send email using the ALL of the following servers:
       |                                        +----------------------+
    Mail Server (point to)                      | | w/ local sendmail 
       |                             +----------+----------------------+
   +------------+                    |            
   |   Google   |                    |          +----------------------+
   |   Apps     |                    |          | | w/ local sendmail
   |   Mail     +--------------------+----------+----------------------+
   |   Server   |                    |
   +------------+                    |          +----------------------+
         |                           |          | | w/ local sendmail        +----------+----------------------+

Consider the following examples:
$ host -t mx
Sample outputs: mail is handled by 4 mail is handled by 1 mail is handled by 2 mail is handled by 3

Above four MX servers receive mail for domain. All of the above servers are managed by Google apps. However, has 3 KVM based vps server to host its website. Those 3 nodes also send emails to its customers or users. You need to add them to your list too:

Finally, its public ip address may also send an email to its customer or users:
$ host
Sample outputs:

How Do I Build a SPF Record for

You need to add the entry as follows in zone file (BIND 9 syntax):

@                       3600   IN TXT   "v=spf1 a mx ip4: ip4: ip4: ~all"

If you are using djbdns, enter:

' ip4\07274.86.48.99 ip4\07274.86.48.102 ip4\07274.86.48.98 a mx include\ ~all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600


  • @ : Domain name i.e.
  • 3600 : TTL for domain recored.
  • IN TXT “v=spf1 : Start an SPF recored.
  • a :’s IP address is which is allowed to send mail from
  • mx : The * servers are allowed to send mail from
  • ip4: : is allowed to send mail from
  • ip4: : is allowed to send mail from
  • ip4: : is allowed to send mail from
  • Send mail from (includes large number of Google apps server) is also allowed to send mail from
  • ~all : Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny or spam check.

Finally, reload your BIND 9 named (don’t forget to increase serial number):
# /etc/init.d/named reload

How Do I Verify My SPF Records?

Type the following command:
$ dig txt
$ host -t txt
Sample outputs: descriptive text "v=spf1 a mx ip4: ip4: ip4: ~all"

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 3 comments/add one below):

3 comment

  1. Great article guys! However, unless you’re Spock you won’t be able to easily tell if your SPF record is properly formatted using the simple verification methods suggested here.

    The official SPF Project site has a great wizard at Just type your domain name in and click “go”. The wizard will verify what settings you’ve got in place, and help you make changes.

  2. Hi,
    I have on email server the mx is pointed to public ip address, for this also i can make the settings like this.
    “v=spf1 a mx ~all”


  3. Hi,
    I have one email server the mx is pointed to public ip address, for this also i can make the settings like this.
    “v=spf1 a mx ~all”


    Have a question? Post it on our forum!