Using this option you can provide SPF records for all domain names on your server without having to setup and maintain SPF-records separately for every single domain name.

If you need to provide unique SPF-records for certain domain names, you can still setup individual SPF-records for those names. This function only kicks in when there are no SPF-records defined for a domain name already.

 

Consider enabling this option with the value to "v=spf1 -all" (meaning "these domains never send e-mail").
This forces you to have specific SPF-records for all domain names that send e-mails.
But it very effectively prevents spamming/phising from all other domain names on your server - including common sub-names such as www.example.com which most users forget to setup SPF records for.

 

A good alternative to this is "v=spf1 mx -all" (meaning "these domains only send e-mail from the mail server listed in their MX-record").
This way any domain name that has an MX-record is covered automatically.
And sub-names such as www.example.com which typically do not have MX-records are still excluded.

 

IMPORTANT: In addition to checking the domain name part of the sender's e-mail address, some e-mail servers also perform SPF checks on the SMTP session HELO/EHLO greeting host name.

Therefore always make sure that your e-mail server is configured to use a correct host name (like "mail.example.com") in the HELO/EHLO greeting, and that an A- and/or AAAA-record exists for this host name in DNS.

And when using this option, make sure that the SPF-record data is also valid for the HELO/EHLO host name used by your e-mail server, or define a specific SPF-record for the HELO/EHLO name in the zone where this belongs (this will override the automatic SPF record).

Note that the default automatic SPF record data "v=spf1 mx -all" will fail such a test if no MX-record exists for your HELO/EHLO name.

For example, if your domain name is "example.com" and your mail server is named "mail.example.com" (and uses this in HELO/EHLO greetings), you would probably only have an MX-record for "example.com" - not for "mail.example.com", and therefore "v=spf1 mx -all" fails to validate "mail.example.com".

Instead you could use "v=spf1 ip4:1.2.3.4 -all" (where 1.2.3.4 is the IP address of your mail server), which would work for both types of tests.

 

IMPORTANT: These synthesized records are provided in responses to standard DNS lookups for SPF- and TXT-records only - they are NOT provided in zone transfers to secondary DNS servers. Therefore you must configure this option the same way on any secondary DNS servers for your domain names.

 

NOTE: This function is automatically disabled for requests for any domain name containing the underscore (_) character to avoid collision problems with special purpose names such as "_domainkey".

 

 

Background:

 

SPF is a spam and phising fighting method which uses DNS records to define which hosts are permitted so send e-mails for a domain.
Early implementation of SPF used DNS TXT-records to store these permissions. However a new dedicated SPF-record type was recently added to the DNS protocol specifically for this purpose.
When SPF enabled e-mail servers receive an inbound e-mail (via SMTP) they will lookup the DNS SPF-record (SPF or TXT type) for the domain name of the senders e-mail address in order to verify that sending e-mail server's IP address is permitted to send e-mail for that domain name.
For details more on SPF, please see http://www.openspf.org