Web server sending email - how to set up SPF to hide IP?

I have a VPS that sends out mail from contact form(s). How do we set up SPF records while still masking the ip of the VPS?

For example a user visits mysite[.com] and fills out the contact form. In the mailing script I use a TO hardcoded as [email protected][.com] and FROM hardcoded as [email protected][.com].

WebDevCoName[.com] is otherwise protected by Cloudflare. How do I ensure email delivery from that domain name with SPF, while continuing to mask the VPS’s IP?


I had to set up my own Postfix relay that removes the origin IP address from my server(s). Something like this:

It’s outbound-only, so it’s completely firewalled, except Port 25 from my origin servers and Port 22 from my home IP.


As @sdayman says you need a relay or you have to expose your IP, the very purpose of SPF is to prove origin so masking it is just a no-no.

Really I find managing email more hassle than its worth and I’m an email geek. I normally recommend using an ESP for this - my own pick is Mailgun. Free for 10,000pm (30,000 if you sign up via https://www.mailgun.com/google). As well as getting SMTP credentials they have a pretty simple API too. The latter is useful in situations where hosts try to control SMTP ports etc (not relevant to you if you’re using a VPS you control but useful for many).

1 Like

+1 to using an email service of some sorts.

If you’re not sending large amounts of email chances are you can use a free tier. They will mask your IP (if done properly) so you really wont need to worry about this.

I was hoping to not use a relay. But it sounds like that’s the right thing to do. Thanks folks!

Mailgun, SendGrid, Postmark are great and if you have Office 365 Personal/Home editions, you’d have a Outlook Premium account which allow personalized domains. I’m sure Google must do the same as well.

Also, just using a standard VPS is bound to lower your IP reputation. Sending any email from a regular EC2 IP is insta-spam to Gmail at this point (but SES-dedicated IPs are good to go).

In most situations a relay is the only solution since they can manage their relation with Google, Yahoo, and Microsoft to ensure their spam filters working in the best of the users. Even a ~15 year old single IP with great reputation can be blacklisted for not playing ball: https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/.

Very good point.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.