cat <<'EXE'| sudo bash
echo && git clone https://github.com/jsarenik/spf-tools.git /opt/cli/spf-tools
echo && cd /opt/cli/spf-tools/
./despf.sh -h
EXE
cat <<'CFG'| tee ${HOME}/.spf-toolsrc >/dev/null
DOMAIN=shahed.biz
ORIG_SPF=spf.shahed.biz
DESPF_SKIP_DOMAINS=_spf.google.com:_spf.sendgrid.net
DNS_TIMEOUT=5
DNS_SERVER=1.1.1.1
CFG
cat <<'EXE'| sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y opendkim-tools;echo;apt-get clean
EXE
DNS » Record » TXT » SPF
SPF TXT Record Format
v=spf1 [mechanism] [qualifier] [modifiers] ...
| Mechanism
|
Example
|
Meaning
|
ip4 |
ip4:192.0.2.1 |
Allow a specific IPv4 address
|
ip6 |
ip6:2001:db8::1 |
Allow a specific IPv6 address
|
a |
a:example.com |
Allow IP from the A or AAAA record of domain
|
mx |
mx:example.com |
Allow mail servers listed in domain's MX records
|
include |
include:_spf.google.com |
Include SPF rules from another domain
|
all |
-all, ~all, ?all, +all |
Apply default rule to any unmatched sender
|
| Qualifier
|
Meaning
|
Action
|
Usage
|
+all |
Pass |
Accept mail from any IP |
☠️ Not recommended
|
-all |
Hard fail |
Reject non-matching IPs |
✅ Strict enforcement
|
~all |
Soft fail |
Accept but mark as spam |
👍 Recommended during rollout
|
?all |
Neutral |
No policy guidance |
🤷 Rare, for undefined policies
|
| Modifier
|
Description
|
Example
|
redirect |
Redirect SPF check to another domain |
redirect=_spf.example.com
|
exp |
Explanation domain for failed SPF |
exp=explain.example.com
|
|
- Run a Composite Check:
- Use SPF Flattening
- Manually
- Check for
- Proper -all ending
- Lookup count ≤ 10
- No multiple TXT records
- Only needed services included
|
DNS » Record » TXT » DKIM
Playground
dig MX chorke.org
dig TXT chorke.org
openssl s_client -connect mail.chorke.org:25
|
apt info opendkim-tools
apt search opendkim-tools
sudo apt-get install -y opendkim-tools
|
sudo git clone https://github.com/jsarenik/spf-tools.git \
/opt/cli/spf-tools
cd /opt/cli/spf-tools/
|
|
|
|
|
|
References