Adding an SPF record to our DNS

Hi.

Before I start, I must emphasise that I am not tech savvy with name servers, DNS, SPF or anything else in this line. I know a very little, but not much. So, I would be grateful if replies could be kept as simple as possible! Thanks.

We (a UK not-for-profit charity) have a website which is hosted by a UK company. A while back, a developer (unfortunately, no longer around and uncontactable) advised us to move our name servers across to Cloudflare from those used by our domain hosts.

For a while, we have been unable to send emails to Gmail addresses (apparently, it’s a Google thing that’s caused this) and, to rectify this problem, we were told by our domain host to contact Cloudflare and ask to (and I quote) “add an SPF record to our DNS” (whatever that means!) They later gave us a bit more detail by saying: “you need to contact Cloudflare and let them setup the SPF records”.

However, after a few weeks of trying, I have now discovered that it’s just not possible to contact Cloudflare direct and ask them to action this change. The best I eventually got was an automated email reply saying I should ask the “Cloudflare Community”; which is what I am now doing.

So, if anyone can help make this change happen or tell me what I should do to “add an SPF record to our DNS” (in words of one syllable, please!), I would be very grateful indeed.

Thanks very much for any help you can give us.

Rowland

A SPF (Sender Policy Framework) record is used to signal what IP addresses (e.g. servers) that are authorized to send messages on behalf of you domain.

For example, given that you mentioned Gmail, - I’ve mentioned an example with Google over in the thread Gmail is blocking emails it thinks is spam - #4 by DarkDeviL a little over a month ago:

Question to that part would be, - did they also give you the detail of what exactly they would like you to include in the SPF record?

Alternatively, what provider are we talking about?

This is extremely helpful, DarkDeviL - thank you.

And yes, our domain host - called Fasthosts - did give me the two lines of code that needs to be entered/added to the SPF record. I did actually initially include that code on my previous post, but had to remove it as I c was told I couldn’t send “links”, as a novice Cloudflare Community member!. But let’s see if it allows it this time:

host: @
points to: v=spf1 mx a include:_spf.livemail.co.uk ~all

I also know the name of the two name servers we use but, again, had to remove those from my post as well. I hope the above helps.

mx and a in that record is most often included as a part of a misconception of how SPF works, and which machines actually do outbound mail traffic.

Assuming that Fasthosts is the only one you use to send messages through, I would just go with this one:

v=spf1 include:_spf.livemail.co.uk -all

Many thanks for this advice. But when you say “go with”, I’m afraid that I don’t know how to; I have no idea how to enter this line of code, where to enter it or, indeed, although I have access to our Cloudflare dashboard, where to find anything in terms of accessing our name servers (or whatever they are) or anything else in our account on Cloudflare!

Might you please be able to guide me as to what to do? We just need to be able to send emails to people with Gmail addresses. We are a UK not-for-profit charity for blind and partially sighted people. Many of our end-users do use email and we must be able to reach them. When companies like Google amend their technology like they have recently done, it’s a shame that they never consider the practical knock-on effects of what they are doing.

If you can help in any way, I would be extremely grateful.

Regards,

Rowland

Rowland Myers, Managing Editor

Since you didn’t share your domain initially, or yet, - I’ll take it below as your domain would be example.com, you will need to substitute that one with your own domain name.

Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/dns/records

It takes you to your account, and here, if you have multiple zones (e.g. domains), it will ask you for which one to go in to.

After the selection, you’ll end up under the DNS → Records section, with a sub-title of “DNS management for example.com”.

1. Check the list of records, see if you have a record in the list, that is with the type TXT, for the name example.com
   Noite: If you actually do have a such record, stop here, as we will need dig deeper in to that one.

However, if not:

2. Click Add record

3. Add the record as mentioned above, like this:

cloudflare_community_538913_add_txt_spf_fasthosts853×500 13.2 KB

Setting up things such as DKIM, SPF and/or DMARC doesn’t magically guarantee that you will be able to reach them though, although some “guides” or “tutorials” may appear to suggest so.

While I completely understand the frustration from a sender’s perspective, e.g. like how it may feel from your side, I think it is also important to look at it from the third party’s side (e.g. Google in this case).

For example, like I mentioned over in this thread called “Email forwarding questions”:

We can easily agree that it is sad when it hits innocent senders, but unfortunately, certain measures have to be applied from time to time in the best interest of everyone

Alone by doing some early sanity checks on my inbound mail streams, I am often seeing that 98% of the inbound email delivery attempts are rejected, due to for example various kind of misconfiguration from the sender’s side.

Is the guidance at the beginning of this post sufficient?

Thanks, I really appreciate this. I’ve made a start, but we’re not there yet. I have logged into our domain settings on Cloudflare and, under ‘DNS’ and ‘Records’, I have found DNS Management for our domain.

I types in the single line of code (v=spf1 include:_spf.livemail.co.uk -all) in the ‘Search DNS Records’ field and then clicked on “add Record”. This has brought up a series of boxes the=at appear to require filling-in:

• Type (A, AAAA, CAA or CERT)

• Name (required)

• IPv4 Address (required)

• Proxy status (currently ticked; it also says “AUTO” under ‘TTL)

None of these I know how to fill in – so we are currently stuck there.

Also on this page, it is showing a change in the nameservers we are using – the two names it gives are different to the ones we currently use. Is this of any significance?

Thanks again for your help. Sorry to bombard you with so many questions.

Regards,

Rowland

(By the way, the reason I am not giving our URL or any other links is that when I do my posts get rejected).

Rowland Myers, Managing Editor

You don’t need to do that. Just

and then

Thank you. That’s all done, but it won’t save because I haven’t put anything in the “Content” field, which is required. Any thoughts, please?

Why not enter the following?

Ah, I see; so do I enter:
@ in the Title field
v=spf1 include:_spf.livemail.co.uk -all in the Content field
and
Auto in the TTL field?

I have tried this and it has been accepted. I don’t know how long it needs to take effect, but after a minute or so, the Gmail emails were still being rejected.

This might be a good time for you to run through the tutorial at LearnDMARC. Send an email to the address it provides you so you can learn based on the actual configuration of your domain.

I think I may need to do more to set up the domain since the necessary changes have now been made to the DNS since it is saying:
Add an A, AAAA, or CNAME record for www so that (domain name) will resolve.
Add an A, AAAA, or CNAME record for your root domain so that (domain name) will resolve.

By the way, I have also added the following separate code to the DNS records because I have seen that our domain host (which I am told points to Cloudflare) has added this as standard. It is:
google-site-verification=lzeF5WOBLEgDRGyX8yURai9YkSLmtZM0YNjUXvlztaU
Was I right to add this?

However - an important question - if I go ahead with changing everything in Cloudflare, will it take down my web site since our domain host is, as mentioned, currently pointing at two different Cloudflare nameservers to the two listed on this Cloudflare DNS page I’m amending!

I see now that you mentioned earlier that you are in the wrong Cloudflare account. I missed that earlier as it was among a lot of superfluous detail.

Is there a reason you are not working in the Cloudlfare account that holds your current active DNS?

It just seems to be where I ended up when I logged in. I will take a look around and see if I can find a different account for us with the correct nameservers.

Thanks,

Rowland

Hi, “Epic.network”.

Apologies for including a lot of superfluous detail previously, but my lack of knowledge means that I don’t know what is, and what is not, of importance. Here, in logical order, is where I have got to with trying to restore the ability for our charity to be able to send emails to Gmail addresses through Cloudflare. (Please note I cannot include an domain details or links or this forum will reject this message):

1. I have logged into what I believe to be our only account with Cloudflare.

2. I can access the dashboard, select the zone (domain name) and open up “Records” under “DNS”.

3. Two ‘requirements’ appears. They read " Add an A, AAAA, or CNAME record for www so that (our domain name) will resolve." and " Add an A, AAAA, or CNAME record for your root domain so that (our domain name) will resolve." I don’t know what any of that means, but have been told by Fasthosts, who host our domain - but who dot provide the name servers - that they don’t matter.

4. Under “DNS management for (our domain name)”, I have added two DNS text records. These are both used by Fasthosts for their own nameservers and are: google-site-verification=lzeF5WOBLEgDRGyX8yURai9YkSLmtZM0YNjUXvlztaU" and v=spf1 include:_spf.livemail.co.uk -all. Fasthosts use livemail.

5. Under “Cloudflare Nameservers”, we appear to have been allocated the ones that start with ‘elisa.ns.cloudflare’ and ‘sean.ns.cloudflare’. These are not the two we appear to have been successfully using for years and they do not appear to amendable; so I have added these two to the two which are registered with, and used, by Fasthosts; so we now have four nameservers listed with Fasthosts.

6. I phoned Fasthosts and tried to explain verbally what I had found on the Cloudflare dashboard and what I had done. They said it all sounded fine and that I should be able to send to Gmail within 24 hours of making the above changed. It hasn’t worked.

Any thoughts, please?

Is this domain email only? If it also has a website, point 3 in your most recent reply absolutely does matter.

You can get much better answers if your share your domain name. If you enter it by placing it in Preformatted txt </> it won’t get turned into a link.

Thanks for telling me about preformatted txt. Our domain is

infosound.org.uk

And it is used to host a web site as well as send and receive emails.
My main worry is that there is another Cloudflare account somewhere which we have (not set up by me) which uses the two original namservers we have always used (fiona.ns.cloudflare and logan.ns.cloudflare) and that whatever changes made within the account I have been talking about will not affect the outcome. If only we could talk to Cloudflare!
Thanks for your help.

Well, your domain is currently without a doubt misconfigured.

infosound.org.uk.       172800  IN      NS      fiona.ns.cloudflare.com.
infosound.org.uk.       172800  IN      NS      sean.ns.cloudflare.com.
infosound.org.uk.       172800  IN      NS      elisa.ns.cloudflare.com.
infosound.org.uk.       172800  IN      NS      logan.ns.cloudflare.com.
;; Received 169 bytes from 156.154.103.3#53(nsd.nic.uk) in 32 ms

infosound.org.uk.       86400   IN      NS      fiona.ns.cloudflare.com.
infosound.org.uk.       86400   IN      NS      logan.ns.cloudflare.com.
;; Received 102 bytes from 173.245.59.231#53(sean.ns.cloudflare.com) in 20 ms

Then you are in the wrong Cloudflare account, and nothing you do there will have any effect.

You shouldn’t do that. You should only ever have the two Nameservers that are assigned to the account you want to use.

You have two choices now:

1. Remove Elisa and Sean nameservers. Then find out which Cloudflare account your website is currently using, gain access to it and add the required DNS records there. This is the preferred option in my opinion.
2. Add all the required DNS records in the account you are in right now. This means at least email and website. After you have added all of them, remove Fiona and Logan nameservers and add Elisa / Sean again. The problem with this is, you cannot know for sure if you got all the necessary records as there is no way to list them, and there may be additional configuration required in Cloudflare and on your webserver for your site to work again, which means downtime.

Thank very much for looking into this, Laudian.

I quite agree that your option 1 is by far the better way to go since we have to avoid downtime. However, I can’t see how I can possibly find out which Cloudflare account our website is currently using since I can’t contact Cloudflare; and the “proper” account, which is looking at the nameservers we are using was set up by a third party, who are no longer contactable.

Should I cancel this second account altogether so as not to confuse matters? It’s clearly not doing anything useful.