Adding SPF Records To Help Emails Get To Recipients – NMI

Overview
What is SPF?
How does it work?
Adding an SPF Record
SPF Record Check
Using a Webmail Based Email Address
Common Providers Documentation

Overview

This article aims to provide assistance to partners and merchants who are having trouble with emails, that the gateway is sending on your merchant's behalf, being rejected or marked as spam. Here you will find more information on the SPF records and how to configure them in your DNS.

When you send an email from your NMI portal or when a system notification email is sent out, the email will show your email address to the recipient. However, since the email is actually sent from NMIs server, behind the scenes the email will still show the sender domain to be "safewebservices.com". Because there is a difference between the sending server domain and the sender's email address domain, email systems can potentially reject the message or mark it as spam mail.

In order to avoid this potential issue, you can add SPF records in your domain's DNS settings which indicate that the safewebservices.com mail server is authorized to send messages from you.

When the sending server domain is different from the sender's email address domain, the email systems will look for the SPF records in the sender's email domain to confirm that the incoming email is authentic and that it came via an authorized domain.

What is SPF?

Sender Policy Framework or SPF is a type of email authentication that defines the mail servers or applications that are allowed to send from your domain. SPF is implemented via SPF records. An SPF record is a text file that is published in the DNS (Domain Name Service) which contains a list of email servers that are authorized to send emails on behalf of your domain.

If the sending server domain used by your email application or system is listed within your SPF record, then your email will be properly authenticated. This will increase the likelihood of your message reaching your customer’s inbox.

How does it work?

Here is an example of the SPF authentication that takes place when you send an email from your NMI portal to your client:

Using NMI, you send an email FROM <jim@yourdomain.com> TO <bill@clientdomain.com>.
Clientdomain.com's mail server checks the DNS records at yourdomain.com for a valid SPF record.
If an SPF record exists, then clientdomain.com checks to see if safewebservices.com is included in the SPF record.
If safewebservices.com is included in the record, then SPF will pass and the email will be properly authenticated.
If safewebservices.com is not included in the SPF record (or the SPF record is not published) then SPF will fail and the email will not be properly authenticated.

Adding an SPF Record

To specifically allow us to send email on your behalf, please work with your DNS provider to create an SPF Record for the following domain:

_spf.safewebservices.com

To add an SPF record, find the TXT record in your DNS settings that have a value starting with "v=spf" and edit that value.

There can only be one record with SPF information in it. If none exists, it can be created. The only change needed is to add include:_spf.safewebservices.com in the record.

Here's an example, where the bold part is added to show NMI is allowed to send messages using your email address:

Type: TXT

Current Value: v=spf1 +a +mx ~all

New Value: v=spf1 +a +mx include:_spf.safewebservices.com ~all

SPF Record Check

To confirm that your SPF record is configured correctly, you can use an online tool such as MX Toolbox.

Go to https://mxtoolbox.com/spf.aspx
Enter your Domain name and click SPF Record Lookup
Your SPF record along with diagnostic information is now displayed on the page.

Using a Webmail Based Email Address

NMI does not recommend using a public webmail based address (@google.com, @hotmail.com, etc.) in the "Receipts From Address" field in your merchants "Account Information" settings.

Since we are sending these emails on your merchant's behalf, they are blocking any emails from domains without our SPF record. To allow us to send an email on your merchant's behalf, please have your merchant work with their DNS provider for the domain the email is coming from to create an SPF record.

As an alternative or quick fix while getting the SPF record set up, the merchant can add <outgoing@safewebservices.com> in the "Receipts From Address" field in their merchant portal (under "Options" → "Settings" → "Account Information"). This is the official email address the automated receipts are coming from. They can also add anything before the "@" sign as long as they're using the safewebservices.com domain, like receipts@safewebservices.com or merchants_name@safewebservices.com where "merchants_name" is the name of the merchant account.

Common Providers Documentation

The following table includes links to documentation for common providers.

Provider	SPF
Google	Ensure mail delivery & prevent spoofing (SPF)
Outlook	Set up SPF to help prevent spoofing
Yandex	SPF record
Yahoo	How do I manage TXT records for my domain?
GoDaddy	Add an SPF record
Bluehost	How To Setup a DNS SPF Record
Amazon SES	Authenticating Email with SPF in Amazon SES

These are external links and may be broken if the provider made an update. Please let us know about any broken links by sending an email to support@nmi.com.