The Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing and prevent sender address forgery, in few words, detect and prevent fake addresses.

This is used to check that incoming mail from a domain comes from a host authorized by that domain's administrators. An SPF record indicates to ISPs that you have authorized MoonMail to send emails through your domain email address.

  • To pass an SPF check: When you use Amazon SES services, through MoonMail, there are two setups with which you can pass an SPF check. The first setup is to use the default MAIL FROM domain of Amazon SES and to not publish an SPF record at all. This setup enables you to pass an SPF check because, by default, Amazon SES uses its own MAIL FROM domain to send your emails. In this case, an SPF check will pass because the default MAIL FROM domain is amazonses.com (or a subdomain of that) and the sending mail server is Amazon SES.

    The other setup with which you can pass an SPF check is to configure Amazon SES to use your own MAIL FROM domain, in which case you must publish an SPF record because the MAIL FROM domain and the domain of the sending mail server, Amazon SES, are different. Instructions for configuring your domain to send emails using a custom MAIL FROM domain are provided in Using a Custom MAIL FROM Domain.
  • To pass DMARC validation based on SPF: If you want DMARC validation to succeed based on SPF, you must set up a custom MAIL FROM domain and publish an SPF record. Note that the alignment mode in the DMARC policy must be relaxed, which is the default. For more information about DMARC policies, see https://dmarc.org/.

New SPF Record

If your custom MAIL FROM domain does not have an existing SPF record, publish a TXT record with the following value. The name of the record can be blank or @, depending on your DNS service.

"v=spf1 include:amazonses.com -all"

Important: If you use "-all" as shown in the example, ISPs might block email from IP addresses that are not listed in your SPF record. Your SPF record must therefore include every IP address that you use to send email. As a debugging aid, you can use "~all" instead. When you use "~all", ISPs will typically accept email from IP addresses that are not listed in the SPF record, but they might flag it. To maximize deliverability, use "-all" and add a record for each IP address. For examples of how to authorize multiple IP addresses, go tohttp://www.openspf.org/SPF_Record_Syntax.

Existing SPF Record

If your domain already has an SPF record, then you must add the following SPF mechanism to the existing record.

Include:amazonses.com

Having the SPF setup in your DNS will make your emails to be trusted by email service providers like Gmail, Yahoo, Outlook and the rest. More trust equals to more hits on the inbox of your subscribers instead of spam.

Need help to set up the SPF records in your DNS? Worry not! We have detailed guides for the most popular domain registrars. Just click here to find yours.

Note: if you can't find a guide for your domain registrar, contact us and we'll gladly create that for you and other users from the same registrar.

Did this answer your question?