How To Setup a DNS SPF (Sender Policy Framework) Record | Bluehost Support
Support
  1. bluehost knowledge base

How To Setup a DNS SPF (Sender Policy Framework) Record

Protect your email reputation and combat email spoofing by setting up a Sender Policy Framework (SPF) record. It's a type of DNS record that notifies the recipient's mail host which mail servers are authorized to send email from your domain name, making it more difficult for someone to spoof your email address trying to impersonate you.

This article outlines what you need to know about SPF records and how they can be implemented at Bluehost for Shared and Cloud hosting. 



Using SPF Records with Shared and Cloud Hosting

Note: The Advanced tab will load your cPanel. Legacy accounts will feature a horizontal navigation bar at the top of the screen, while Bluerock account users will see a vertical navigation menu on the left-hand side of the screen. To learn more, please see Bluerock vs. Legacy.

Legacy Accounts

Each host uses its own set of spam-filtering rules for its incoming mail servers. This means that depending on the rules. One outgoing mail server may be better for delivering mail to host XYZ, while another server is better for delivering mail to host ABC. Because we want to keep your delivery rates as high as possible, we use an entire network of servers to send mail so our system can select the mail server best qualified to send a message to its particular destination.

To make it work, we maintain a list of approved servers and IP addresses in the SPF record of Bluehost.com, which is then included in the default SPF record of every domain on our Shared or Cloud hosting plans. The default record looks like this:

v=spf1 a mx ptr include:bluehost.com ?all

The record is composed of three parts:

  1. v=spf1 identifies the TXT record as an SPF record.
  2. a mx ptr include:bluehost.com specifies an approved list of outgoing servers.
    • If you have a non-Bluehost server you want to allow sending mail from, this is where you'll add it. It's also where Bluehost's list of approved outgoing servers is included. (include:bluehost.com)
    • Third-party email marketing tools often require that you update your SPF record to accommodate their servers.
  3. ?all specifies how hosts should regard servers that are not on the list. There are a few modifiers you can use here:
    • -all "Hard Fail" means to reject all mail that isn't on the allowed list.
    • ~all "Soft fail" means accept mail, not on the allowed list, but treat it with more scrutiny.
    • ?all "Neutral" means accept all mail; there isn't a policy for servers not on the list. This is the default setting.

Bluerock Accounts

These accounts do not use unifiedlayer.com proxy IPs as the outgoing email server. Instead, Rock accounts use websitewelcome.com proxy IPs as an outgoing email server. Since email is not sent from unifiedlayer.com proxy IP's, the SPF record needs to be configured with websitewelcome.com instead of brand-specific URLs. For example:

v=spf1 a mx include:websitewelcome.com ~all

The record is composed of three parts:

  1. v=spf1 identifies the TXT record as an SPF record.
  2. a mx include:websitewelcome.com specifies an approved list of outgoing servers.
    • If you have a non-Bluehost server you want to allow sending mail from, this is where you'll add it. It's also where Bluehost's list of approved outgoing servers is included. (include:websitewelcome.com)
    • Third-party email marketing tools often require that you update your SPF record to accommodate their servers.
  3. ?all specifies how hosts should regard servers that are not on the list. There are a few modifiers you can use here:
    • -all "Hard Fail" means to reject all mail that isn't on the allowed list.
    • ~all "Soft fail" means accept mail, not on the allowed list, but treat it with more scrutiny.
    • ?all "Neutral" means accept all mail; there isn't a policy for servers not on the list. This is the default setting.

Customizing SPF Records

?all is the default setting since we don't know if you'll be using another email service other than Bluehost with your domain name. For a more in-depth look at SPF syntax and mechanisms, see open-spf.org.

If you're using another host to send an email for your domain, customize your SPF record by adding additional servers and IPs to the second part of the record. And if you want to make your record more strict to defend the domain from email spoofing, adjust the policy for "all."

For example, if you only use Bluehost to send email from your domain and you want to make the sending policy as strict as possible, we recommend using this SPF record:

v=spf1 a mx ptr include:Bluehost.com -all

This record authorizes your website's server and Bluehost's list of outgoing mail servers to send an email. All other outgoing mail servers are unauthorized. To add a new SPF record to your domain name, follow the steps below.

Add an SPF Record

SPF records are added to your Zone File as TXT records. Keep in mind that, by default, Bluehost adds an SPF record to your zone file for each domain, so if you want to add another record, it's best to delete the default one from inside your cPanel.

  1. Log in to your Bluehost control panel.
  2. Go to the Domains menu at the top and click the Zone Editor submenu.
  3. Select your domain name from the drop-down.
  4. If you're removing an existing SPF record, scroll down to find it in the TXT record section to find it and click Delete.
  5. To add a new SPF record, enter this information under Add DNS Record at the top of the Zone Editor:
    • Name: Type your domain name (without the www)
    • TTL: 14400
    • Type: TXT
    • TXT Value: This is where you would paste in your new SPF record.
  6. Click Add Record.

You're done!

For further assistance, you may contact our Chat Support or Phone Support via 888-401-4678. You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.