Q. How do I configure Sender Policy Framework (SPF) anti spam forgery system under Redhat Linux BIND server? I was advised to configure SPF for our corporate domain to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

A. Spammer always tries to spoof e-mail. Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it’s easy for spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge sender addresses (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of source routes.

Steps to configure Sender Policy Framework

First, you need to access to DNS server zone files. Some domain registers / ISPs provides front end (control panel) to define SPF records. You need to set a TXT record by editing zone file. It allows you define real IP address of your mail server and other hosts such as webserver.

Set SPF for a domain called theos.in

Open your dns zone file such as /var/named/data/zone.theos.in and append something as follows:

@                      86400    IN TXT   "v=spf1 a mx ~all"


theos.in.             IN TXT "v=spf1 a mx ~all"

Save and close the zone file. Restart bind:
# service named restart

  • v=spf1 : Define an SPF recored.
  • a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in.
  • mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in.
  • ~all : SPF queries that do not match any other mechanism will return “softfail”. Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
    For example, following recored the “a” and “mx” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
cyberciti.biz.             IN TXT "v=spf1 a mx -all"

Large network setup

Let us say you have a corporate domain called nixcraft.com with static IP network All IPs in this range can send an email. Your email server is called smtp.nixcraftmail.com. You need to SPF as follows for nixcraft.com domain:
nixcraft.com. IN TXT "v=spf1 ip4: a mx ~all"
Also you need to set SPF for nixcraftmail.com as follows:
smtp.nixcraftmail.com. IN TXT "v=spf1 a -all"

tinydns (djbdns) DNS Setup

If you run tinydns / djbdns, enter following:

'nixcraft.com:v=spf1 ip4\07274.86.49.128/28 a mx ~all:3600
'smtp.nixcraftmail.com:v=spf1 a -all:3600

Test SPF / spf recored lookup

First make sure SPF TXT recored updated using dns client tool such as host or dig:
$ host -t txt domain.com
$ host -t txt nixcraft.com
$ host -t txt nixcraft.com ns1.isp.com

If your SPF configured correctly webmail service such as Gmail or Yahoo mail can display spf result by viewing email headers:

(Fig. 01: SPF in action – Gmail confirms email is send by my own server [ mailed-by cyberciti.biz])
To view email headers click on Reply down arrow > Show original:

Received-SPF: pass (google.com: domain of vivek@cyberciti.biz designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of vivek@cyberciti.biz designates as permitted sender) smtp.mail=vivek@cyberciti.biz

Microsoft 2000 / 2003 / 2008 DNS SPF Configurations

If you run Microsoft DNS server, see these instuctions.

Sample BIND zone file for cyberciti.biz domain

$ORIGIN cyberciti.biz
$TTL 86400
@ IN SOA ns1.cyberciti.biz. vivek.cyberciti.biz. (
                       2008020302        ; Serial
                       3600              ; Refresh
                       300               ; Retry
                       604800            ; Expire
                       3600)             ; Minimum

@                      86400    IN NS    ns1.cyberciti.biz.
@                      86400    IN NS    ns2.cyberciti.biz.

@                      3600     IN MX 10 smtp.cyberciti.biz.

@                      86400    IN TXT   "v=spf1 ip4: a mx ~all"
feeds                  86400    IN CNAME feeds.feedburner.com.
*                      3600     IN A
@                      86400    IN A
rd                     86400    IN A
www                    3600     IN A
vpn		       86400    IN A

Recommended readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • Rajeesh Jul 30, 2011 @ 7:06


    I have Internal mail server which i pointed to public IP. how will i implement SPF for internal mail server.


  • Steven Protter Aug 28, 2013 @ 19:51

    Good document. Clean, easy to implement. No downside or negative results.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum