Web server sending email - how to set up SPF to hide IP?


I have a VPS that sends out mail from contact form(s). How do we set up SPF records while still masking the ip of the VPS?

For example a user visits mysite[.com] and fills out the contact form. In the mailing script I use a TO hardcoded as [email protected][.com] and FROM hardcoded as [email protected][.com].

WebDevCoName[.com] is otherwise protected by cloudflare. How do I ensure email delivery from that domain name with SPF, while continuing to mask the VPS’s IP?



I had to set up my own Postfix relay that removes the origin IP address from my server(s). Something like this:

It’s outbound-only, so it’s completely firewalled, except Port 25 from my origin servers and Port 22 from my home IP.


As @sdayman says you need a relay or you have to expose your IP, the very purpose of SPF is to prove origin so masking it is just a no-no.

Really I find managing email more hassle than its worth and I’m an email geek. I normally recommend using an ESP for this - my own pick is Mailgun. Free for 10,000pm (30,000 if you sign up via https://www.mailgun.com/google). As well as getting SMTP credentials they have a pretty simple API too. The latter is useful in situations where hosts try to control SMTP ports etc (not relevant to you if you’re using a VPS you control but useful for many).

1 Like

+1 to using an email service of some sorts.

If you’re not sending large amounts of email chances are you can use a free tier. They will mask your IP (if done properly) so you really wont need to worry about this.


I was hoping to not use a relay. But it sounds like that’s the right thing to do. Thanks folks!


Mailgun, SendGrid, Postmark are great and if you have Office 365 Personal/Home editions, you’d have a Outlook Premium account which allow personalized domains. I’m sure Google must do the same as well.

Hiding real IP while sending mails? SMTP server without real IP header?

Also, just using a standard VPS is bound to lower your IP reputation. Sending any email from a regular EC2 IP is insta-spam to Gmail at this point (but SES-dedicated IPs are good to go).

In most situations a relay is the only solution since they can manage their relation with Google, Yahoo, and Microsoft to ensure their spam filters working in the best of the users. Even a ~15 year old single IP with great reputation can be blacklisted for not playing ball: https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/.


Very good point.