SPF TXT record, how to hide server ip address?
Hi, I'm new here and this server is overwhelming to find the right spot to post about this.
I am trying to keep my server ip address private since I'm using cloudflare. I need to set up a spf record.
When I have the TXT record as:
v=spf1 ip4:5.5.5.5 include:_spf.cloudflare.com ~all it works, but it exposes the ip address.
If I take off the server ip address, this doesn't work:
v=spf1 include:_spf.cloudflare.com ~all.
Does anyone know what I'm doing wrong? Thanks!
8 Replies
That's just how spf and email sending fundamentally works. Removing it from there means you fail spf. Any receiving mail server would see it anyway
so you're saying there is no way of going around it and I would have to expose my server ip address (since I'm using the same server as my email)?
Either use a email service like amazon ses/mailgun/mail.baby/etc or you could setup a separate server to send mail that is exposed
okay thanks for the recommendations.
you can do other sane steps though to try to lower the risk. Sending mail doesn't need any incoming ports open, you can allowlist just CF https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/ to 80/443 and then deny all other incoming
If you are using a host with a managed external firewall like Oracle, OVH, or Hetzner, fair bit of capacity they could filter for you if you use their firewalls. If you've just got your single server and ufw or whatever then your port could still be overwhelmed.
If you are receiving mail as well as sending then you'll need more ports open for that which would make protection more tricky
Ya that sounds intense, I'm looking for an easy solution haha. You mentioned Amazon SES, is that fairly easy to setup?
Chance of you getting attacked is probably pretty low, but paying a service to send mail is usually advised anyway because mail sending is messy and even your IP neighbors sending mail could result in yours being junked. SES is easy/simple SMTP although they do have verification/you have to explain your use case to them which can be annoying/rejected
okay awesome. thanks so much for your fast responses on this, very helpful!