How to make SPF record strict. IT is neutral now

I have the following settings in my default server template:

Add SPF DNS record?: Yes, with server’s IP address
Additional SPF IPs and hostnames: empty
Additional SPF included domains: empty
Does SPF record cover all senders?: No
Additional named.conf directives for new zones: None

And it adds Named directive like mydomain.tld. IN TXT “v=spf1 a mx a:mydomain.tld ?all”.

However I often see my domain names are used for spamming. For example today morning I received bounced to me e-mail message:

Received: from (unknown [])
by (Postfix) with ESMTP id DE056E2CC20
for; Tue, 20 Dec 2011 13:43:59 -0600 (CST)
Received: from [] ([] helo=localhost.localdomain)
by (envelope-from hwsw@mydomain.tld)
(ecelerity r(49957)) with ESMTP
id 42zx-93-69115; Tue, 20 Dec 2011 09:41:50 +0200
Date: Tue, 20 Dec 2011 09:38:13 +0200
Sender: hwsw@mydomain.tld
From: “Best-Penis” hwsw@mydomain.tld
Mime-Version: 1.0
Subject: Max-Gentleman Enlargement*Pills
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Received-SPF: neutral(mydomain.tld: is neither permitted nor denied by domain of mydomain.tld)

I really need to stop this Penis Enlargment crap using my domain name, but not sure how exactly. Any ideas where and to what I need to change to make SPF stricter?

Additionally, I have a separate template for the virtual servers, which use Google Apps. For them per instructions on I’d like to change SPF record to: “v=spf1 ~all”. But where and how?




You should be able to do that by going into System Settings -> Server Templates -> Default -> BIND DNS Domain, and set “Does SPF record cover all senders” to “Yes”.


Hi Andreychek,

It was already been check from the very beginning. However spammers continue to use my domain. Digging in the net, I 've found that ‘~all’ directive is not as strict as ‘-all’. But virtualmin applies ‘?all’, which is completely out of standard. And I would like to be able to change the default SPF record. How can I do that?

If it is hardcoded into Virtualmin, I believe it should be open up for the users’ preferences as the standards might change and there lot’s of different instructions on how to compose these SPF records.


You need to set the “?all” to “-all”. There is a couple of ways to do this first go to Virtualmin >domain name>Server configuration>DNS options. You should now see a drop down box called “Action for other senders” set this to disallow.

Now if you check you spf record it should now be “-all”


Oh, and I spoke with Jamie on all this – he’s going to make it simpler in future version of Virtualmin in order to set SPF records to strict.


Excellent, thank you Shirehosting and anreychek! I wonder is it possible to configure Virtualmin so that - was selected by default instead of ~?

Strange I answered this and my post dissappeared ??

Anyway, I said no not that I am aware of, but it would be a nice feature to have.