How to configure SPF for your domain

How to configure a default SPF record

Login to Hydra DNS records list (requires Oxford network or VPN)
Select Create
Enter details as follows:
Field Value
Hostname unit.ox.ac.uk
Type TXT
Content v=spf1 redirect=_spf.ox.ac.uk
TTL 300
Select Create

Field	Value
Hostname	unit.ox.ac.uk
Type	TXT
Content	v=spf1 redirect=_spf.ox.ac.uk
TTL	300

Warning

There must be no more than one SPF policy for a domain, even though you can have as many TXT records as you like. You will need to check this, as well as ensuring that your SPF record is valid syntactically and against other SPF rules; Hydra does not validate TXT record contents and will not advise of any issues.

How to authorise a third-party to send mail from your domain

Don't do this!

Instead, configure the third-party system to use a dedicated mailbox account and send via smtp.nexus.ox.ac.uk

If the third-party you are using does not support properly authorised sending from a Nexus365 account then:

Ensure that you have a good understanding of SPF (see SPF Project resources)
Obtain an SPF inclusion clause from your third-party. This should be in the form “include:saas.domain.com”
Create a new SPF record or edit an existing record in Hydra IPAM, and insert the additional clause between v=spf1 and any other specifiers
Save the record

Further information

SPF records were centrally added to all top-level domains (unit.ox.ac.uk) in 2016. This was a one-off exercise, and we recommend that local ITSS add the default SPF record to any domains they use in email sender addresses.

Some background on why we introduced SPF records, and their impact in relation to some ISP mail providers and common scenarios is available in the ITSS wiki.

Please do ensure that you understand SPF before amending records, as even a syntactically correct entry can render your entire SPF invalid. Consult a suitable SPF guide or the associated RFC for details.