Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

Q. How do I configure Sender Policy Framework (SPF) anti spam forgery system under Redhat Linux BIND server? I was advised to configure SPF for our corporate domain to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

A. Spammer always tries to spoof e-mail. Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it’s easy for spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge sender addresses (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of source routes.

Steps to configure Sender Policy Framework

First, you need to access to DNS server zone files. Some domain registers / ISPs provides front end (control panel) to define SPF records. You need to set a TXT record by editing zone file. It allows you define real IP address of your mail server and other hosts such as webserver.

Set SPF for a domain called

Open your dns zone file such as /var/named/data/ and append something as follows:

@                      86400    IN TXT   "v=spf1 a mx ~all"

OR             IN TXT "v=spf1 a mx ~all"

Save and close the zone file. Restart bind:
# service named restart

  • v=spf1 : Define an SPF recored.
  • a : IP address is xx.yy.zz.eee and that server is allowed to send mail from
  • mx : has one MX server called It is allowed to send mail from
  • ~all : SPF queries that do not match any other mechanism will return “softfail”. Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
    For example, following recored the “a” and “mx” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.             IN TXT "v=spf1 a mx -all"

Large network setup

Let us say you have a corporate domain called with static IP network All IPs in this range can send an email. Your email server is called You need to SPF as follows for domain: IN TXT "v=spf1 ip4: a mx ~all"
Also you need to set SPF for as follows: IN TXT "v=spf1 a -all"

tinydns (djbdns) DNS Setup

If you run tinydns / djbdns, enter following:

' ip47274.86.49.128/28 a mx ~all:3600
' a -all:3600

Test SPF / spf recored lookup

First make sure SPF TXT recored updated using dns client tool such as host or dig:
$ host -t txt
$ host -t txt
$ host -t txt

If your SPF configured correctly webmail service such as Gmail or Yahoo mail can display spf result by viewing email headers:

(Fig. 01: SPF in action – Gmail confirms email is send by my own server [ mailed-by])
To view email headers click on Reply down arrow > Show original:

Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)

Microsoft 2000 / 2003 / 2008 DNS SPF Configurations

If you run Microsoft DNS server, see these instuctions.

Sample BIND zone file for domain

$TTL 86400
@ IN SOA (
                       2008020302        ; Serial
                       3600              ; Refresh
                       300               ; Retry
                       604800            ; Expire
                       3600)             ; Minimum

@                      86400    IN NS
@                      86400    IN NS

@                      3600     IN MX 10

@                      86400    IN TXT   "v=spf1 ip4: a mx ~all"
feeds                  86400    IN CNAME
*                      3600     IN A
@                      86400    IN A
rd                     86400    IN A
www                    3600     IN A
vpn		       86400    IN A

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

How to Make Website WCAG Compliant?

Next Post

Link download Kali Linux 2020.1 (ISO + Torrent)

Related Posts