Google Apps Domain Create SPF Records For BIND or Djbdns

I work for a small business and outsourced our email hosting to Google. However, I noticed that spammers are using our From: First Last to send their spam messages. All bounced messages come to our catch only account. How do I stop this? How do I validate our domain using SPF? How do I configure a SPF for Google Apps domain using BIND 9 or djbdns?

You must create a Sender Policy Framework (SPF) recored for all your domains which are used to send emails. An SPF can identifies which mail servers are permitted to send email on behalf of your domain. This is used to prevent spammers from sending messages with forged From addresses at your domain such as, where foo is not a valid username. In this example, spammers use to send spam to When my mail server receives a message from, it will check the SPF record for to find out if it is a valid message or not. If the message comes from a server other than the mail servers listed in the SPF record, than my mail server can reject it as spam or mark as spam.

Sample Setup can send email using the ALL of the following servers:
       |                                        +----------------------+
    Mail Server (point to)                      | | w/ local sendmail 
       |                             +----------+----------------------+
   +------------+                    |            
   |   Google   |                    |          +----------------------+
   |   Apps     |                    |          | | w/ local sendmail
   |   Mail     +--------------------+----------+----------------------+
   |   Server   |                    |
   +------------+                    |          +----------------------+
         |                           |          | | w/ local sendmail        +----------+----------------------+

Consider the following examples:
$ host -t mx
Sample outputs: mail is handled by 4 mail is handled by 1 mail is handled by 2 mail is handled by 3

Above four MX servers receive mail for domain. All of the above servers are managed by Google apps. However, has 3 KVM based vps server to host its website. Those 3 nodes also send emails to its customers or users. You need to add them to your list too:

Finally, its public ip address may also send an email to its customer or users:
$ host
Sample outputs:

How Do I Build a SPF Record for

You need to add the entry as follows in zone file (BIND 9 syntax):

@                       3600   IN TXT   "v=spf1 a mx ip4: ip4: ip4: ~all"

If you are using djbdns, enter:

' ip4\07274.86.48.99 ip4\07274.86.48.102 ip4\07274.86.48.98 a mx include\ ~all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600
' a -all:3600


  • @ : Domain name i.e.
  • 3600 : TTL for domain recored.
  • IN TXT “v=spf1 : Start an SPF recored.
  • a :’s IP address is which is allowed to send mail from
  • mx : The * servers are allowed to send mail from
  • ip4: : is allowed to send mail from
  • ip4: : is allowed to send mail from
  • ip4: : is allowed to send mail from
  • Send mail from (includes large number of Google apps server) is also allowed to send mail from
  • ~all : Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny or spam check.

Finally, reload your BIND 9 named (don’t forget to increase serial number):
# /etc/init.d/named reload

How Do I Verify My SPF Records?

Type the following command:
$ dig txt
$ host -t txt
Sample outputs: descriptive text "v=spf1 a mx ip4: ip4: ip4: ~all"

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Justin Best Dec 20, 2010 @ 21:32

    Great article guys! However, unless you’re Spock you won’t be able to easily tell if your SPF record is properly formatted using the simple verification methods suggested here.

    The official SPF Project site has a great wizard at Just type your domain name in and click “go”. The wizard will verify what settings you’ve got in place, and help you make changes.

  • Rajeesh Sep 15, 2011 @ 7:25

    I have on email server the mx is pointed to public ip address, for this also i can make the settings like this.
    “v=spf1 a mx ~all”


  • Rajeesh Sep 15, 2011 @ 7:26

    I have one email server the mx is pointed to public ip address, for this also i can make the settings like this.
    β€œv=spf1 a mx ~all”


Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum