How We Got Here
Recently we ran into some issues submitting ADF leads from one of our websites to a DealerSocket CRM. Sometime in November, something on their servers changed and an SPF record was required to submit leads. Unfortunately DealerSocket didn’t inform us or the dealer of this change and it lead to a large number of missed leads for the dealer. We have never needed to use an SPF record so we needed to do a little research and some trial-and-error. We thought we would share our experience to help other dealers in need.
What is an SPF record?
SPF stands for Sender Policy Framework. An SPF record tells a mail server that receives an e-mail that the sender is allowed to send e-mails on behalf of the domain name in question. So for example, if you wanted to use mail-sender.com to send an e-mail on behalf of example.com, then the DNS settings for example.com should feature an SPF record stating so. In our case we want to tell the DealerSocket CRM e-mail server that WP Engine (our host server) is allowed to send e-mails on behalf of a dealer website, which we will call HondaDealer.com from here on.
Do I Need an SPF Record?
In most cases you do not need an SPF record. If you were sending ADF notifications to a normal e-mail address (Gmail, Yahoo, Hotmail, etc.) then you would not need an SPF record. The challenge we ran into was when sending ADF notifications from a client website to a DealerSocket CRM to capture leads, the DealerSocket CRM mail server would parse the notification and look for an SPF record in the DNS records for HondaDealer.com to ensure that WPEngine.com was allowed to send e-mails on its behalf. The CRM e-mail server checks for an SPF record for security purposes, and also most likely to combat spam submissions to their e-mail server. NOTE: not all CRMs require an SPF record, and this was actually the first time we encountered this requirement.
The Failure Record From DealerSocket
Event: rejected rejected User: -remote- Domain: Sender: email@example.com Sent Time: Dec 20, 2018 7:40:07 AM Sender Host: mail-183-212.wpengine.com Sender IP Address: 220.127.116.11 Authentication: unauthorized Spam Score: 0 Recipient: firstname.lastname@example.org Delivery User: dsmess5 Delivery Domain: hondadealer.dsmessage.com Delivered To: Router: reject Transport: **rejected** Out Time: Dec 20, 2018 7:40:07 AM ID: 1ga0RC-0003Ex-Pz Delivery Host: mail-183-212.wpengine.com Delivery IP Address: 18.104.22.168 Size: 0 bytes Result: Sender verify failed
The SPF Record
Our SPF record looks like this:
v=spf1 mx a ip4:22.214.171.124/23 a:mail.hondadealermail.com include:wpengine.com ~all
So what does it all mean?
This defines what version of SPF we are using. For now, this should always be v=spf1, as in version equals SPF 1. Currently there is no other version of SPF.
mx a ip4 include
These are mechanisms which define which IP addresses are allowed to send e-mail on behalf of the dealer domain in question. So ‘mx’ and ‘a’ are telling the receiving server to look up the ‘mx’ and ‘a’ records attached to the domain that is sending the e-mails, not the sending server, but the domain used in the from e-mail address for the ADF notification.
This is another mechanism that tells the receiving server how to handle mail that doesn’t fit the previous mechanisms. In this case the ‘~’ means soft fail and ‘all’ indicates to give everything else a soft fail.
A Range of IP Addresses
You will likely need to include a range of e-mail addresses. In the case above, we are telling the receiving server to allow mail from a range of IP Addresses from 126.96.36.199 – 188.8.131.52. That covers 512 different IP addresses. To avoid drawing you into a long explanation of how this works and why, I will just refer you to ipaddressguide.com. Experiment with and change the ‘/23’ to ‘/24’ and other values to see how this changes your range. Note that a lower number increases your range. You want to keep your range as tight as possible to make it harder for others to attempt to send notifications to the CRM from their own IP address.
The reason for this is, our host uses various servers to handle sending mail out from our websites. All of these servers fall into the range of IP addresses that we are using.
If your website, or host, uses only one IP address for this, then you can omit the ‘/23’ and just put in the exact IP address.
This one is only required in a specific case. In our case, the website domain is HondaDealer.com. However, HondaDealer.com is not actually used for e-mail addresses by the dealer, so there is no ‘mx’ record in the DNS settings for this domain. They use a dealer group domain name for all of their actual e-mail addresses. Since HondaDealer.com isn’t actually setup as a mail server, the DealerSocket CRM flagged that immediately. So, first we had to change the from e-mail address on our leads to use the group domain, which we will call HondaDealerMail.com. So, with the mechanism above, we are telling the receiving server to accept mail from ‘mail.hondadealermail.com,’ When the DealerSocket CRM pulls the ‘mx’ record for HondaDealerMail.com it will then get a valid response.
Finally, we need to tell the receiving server at DealerSocket to allow WPEngine.com to send e-mails on behalf of HondaDealerMail.com. This is because our WordPress websites are hosted on WP Engine and all notifications including leads are sent by their servers.
Wrapping It Up
So the whole record states that this is SPF version 1 record, to use the ‘mx’ (mail) and ‘a’ (domain name) mechanisms, include IP addresses using the IP4 protocol over the range defined above, accept mail from mail.hondadealermail.com, allow wpengine.com to send this mail, and soft fail all other submissions.
A More Simple Example
Let’s say you are sending mail from your dealer domain, we will call ExampleDealer.com. You only send e-mail from this domain, the server only uses a single IP address (we will say it is 192.168.1.1), and mail is sent directly from this IP address and your domain. Your SPF record would look like this:
v=spf1 mx a ip4:192.168.1.1 a:mail.exampledealer.com ~all
This record, must be entered into the DNS settings for your domain as a TXT record.
That’s it! I hope that helps and thank you for reading. For more information about SPF records, please refer to DNSimple.com. If you have any questions, please feel free to contact us at 480.360.6000.