SPF and Gmail. Again!

In other words – why is Gmail rejecting my e-mails?

As of June 7th, Gmail has started to reject all e-mails received from domains lacking a SPF record. Google reports this problem with the following error message:

550-5.7.1 [217.146.64.162 12] Our system has detected that this message is likely unsolicited mail. 
To reduce the amount of spam sent to Gmail, this message has been blocked. 
Please visit https://support.google.com/mail/?p=UnsolicitedMessageError for more information.Code language: JavaScript (javascript)

This “small” filter change introduced by Google is also reflected in the increasing number of reports we receive:

If this issue sounds familiar, it should not be a problem for you. Namely, we have written a posting back in 2016 (this is in Estonian, but we suggest you to use almighty translator) about Gmail starting to require SPF records in all e-mail messages overnight. They said it was a technical error back then, but it seems this time it is no longer an error, but a deliberate decision instead.

SPF or Sender Policy Framework

The SPF is a list of servers that are allowed to send an e-mail on behalf of a specific domain. The receiving server – for example one belonging to gmail.com, will check, for each incoming e-mail message, whether the sender’s IP address is on its whitelist. This formed only one part of the e-mail checking procedure previously, and was used to decide whether your message went to the spam folder or not. Now, however, the sole existence of a SPF record determines whether the message will be delivered at all.

Zone has automatically added a SPF record to all new Web Hosting plans starting from 2016. There will still be occasions when it is not added automatically or adding it is simply not possible – for example, when the DNS zone is located outside Zone.

In essence, SPF is an additional TXT or text record on the domain name server. When using Zone servers, its content could be as follows:

v=spf1 a mx include:_spf.zone.eu ~allCode language: PHP (php)

As an explanation, this allows you to send e-mail messages:

• a – on all servers or computers belonging to the domain, having an A record (e.g. web server)
• mx – on all mail servers of the domain
• include:spf.zone.ee – on all servers within Zone’s network (including all web servers, outgoing mail (SMTP) servers and webmail)
• ~all – sending from other servers is not explicitly forbidden (to forbid it, you should replace the tilde with a minus sign, i.e.: -all)

How do I add a SPF record to my domain?

Please go to our help environment for detailed instructions on creating and adding a SPF record. In short, the minimum SPF record required to use Zone’s services would be as follows:

v=spf1 a mx include:_spf.zone.eu ~allCode language: PHP (php)

When you only have a virtual server and a domain name at Zone, it is enough to open the E-mail -> DKIM / SPF / DMARC menu on the management panel and click Activate next to the SPF entry.

If your domain’s DNS zone is managed outside Zone externally by another service provider, you should ask this service provider to add the TXT record.

NB! Please note that when sending e-mails from other sources besides Zone services, the SPF record should be adjusted accordingly!

NB! Do not forget to add a SPF record to your alias domains too!

If you are using an alias domain to send e-mails from a web server or via an SMTP server, it must have a valid SPF record also.

The SPF record becomes operational in about 10 minutes. If you are having trouble with setting up or creating your SPF record, contact our customer support!

Don’t limit yourself to SPF!

We can once more provide a link to a blog post published already back in 2016 where we also discuss two other technologies that help you make your e-mails even more authentic.

DKIM

Cryptographic confirmation of the origin of an e-mail message is provided by a technology named DKIM or DomainKeys Identified Mail. DKIM is based on public key encryption. The domain owner has a key pair, and the public part of this key pair will be published as a DNS record and the private part will be used to sign all outgoing e-mails from this domain.

DKIM provides even more assurance to the recipient than SPF regarding the sender’s association with the domain used. Various components of the e-mail message are used to create a digital stamp that the recipient can check to verify the message sent has not been changed in any way during its journey.

Best of all, the digital signing of e-mails can be done entirely on the server. DKIM is therefore easy to deploy from the user’s point of view, as it does not require any additional software on the workstation or any special e-mail client setup.

You can find the DKIM record installing guide in our help environment.

DMARC

DMARC or Domain-based Message Authentication Reporting and Conformance, combines the SPF and DKIM technologies into a single policy preventing e-mail address spoofing.

With the DMARC policy the e-mail recipient can inform the server that one of the following actions must be chosen if SPF and/or DKIM checks fail:

• quarantine the e-mail (to spam mailbox);
• reject the e-mail;
• let the e-mail through, but send a report on such e-mails to the domain administrator.
• See our help for instructions on how to set up and install a DMARC record.