Skip to content

Correctly configuring incoming SPF in Exim on Debian

The Debian documentation is sparse on how to correctly configure incoming SPF checks in the Debian Exim package.

It is sparse in the sense that it tells you what to install (spf-tools-perl) but it is not clear WHERE to put the very important macro. It only says:

This is provided via the macro CHECK_RCPT_SPF, set it to true.

Fine, but where!?

Answer: you should put this macro at the top of your configuration file (/etc/exim4/exim4.conf.template).

At least I did and put it on line 23. After trying out different places.

Next, you run:
/etc/init.d/exim4 restart

And that’s it. I couldn’t find it anywhere so I put it here.

More on SPF

With this setting, Exim will check your incoming mail for valid SPF records. Because the check was not in place on my server it was possible for spammers to say to my mailserver that they were sending mail on behalf of my mailserver!

This is *not* what you want.

SPF best practices

When configuring this I also found I had a couple of mistakes in my SPF records. instead of *
  1. I had set a SPF record on a wildcard (* subdomain. But this does not work properly. Specify the subdomain, and configure the record.
  2. I was missing a MX record for the subdomain. Also specifically set this.
  3. There was an IPv6 error in my SPF record. A semicolon (of course). There are lots of sites to test your SPF records. Here is a good one and another. They will point out errors.
  4. I use an include in my SPF record. I am still not sure where to put it, but it looks like the best practice is to put it before the IP addresses. Like so:

    v=spf1 mx ip4: ip4: ip6:2001:9e0:8606:8f00::/56 ip6:2a01:4f8:1c1c:79a1::/56 -all
  5. I switched from ~all to -all. To drop all mail that does comply with the SPF record.


me@remoteserver:~# telnet 25
Connected to
Escape character is '^]'.
220 ESMTP Exim 4.92 Sat, 22 Jul 2023 10:17:30 +0200
ehlo Hello remotemachine.test [77.72.*.*]
250-SIZE 52428800
250 HELP
250 OK
550 relay not permitted
550-[SPF] is not allowed to send mail from 
550 Please see;;ip=77.72.*.*

The log on the server looks like this:

2023-07-22 10:18:03 H=remoteserver ( [77.72.*.*] F=<> rejected RCPT relay not permitted
2023-07-22 10:18:29 H=remoteserver ( [77.72.*.*] F=<> rejected RCPT SPF check failed.

1 thought on “Correctly configuring incoming SPF in Exim on Debian”

  1. I found your article after looking for others with no solution and not knowing why after having enabled options for SPF it hadn’t worked but your solution did the trick. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *