SPF Records - Interaction with alternative (backup) MX

Hi All,

I have a situation where we have a domain with an SPF record akin to this (using example.com):

v=spf1 mx ip4:333.333.333.333  a:remote.example.com include:cmail1.com -all

The MX records are as follows (actuals except using example.com):

preference:      5
exchange:      remote.example.com

preference:      10
exchange:      aspmx.l.google.com

preference:      20
exchange:      alt1.aspmx.l.google.com

preference:      30
exchange:      aspmx2.googlemail.com

preference:      30
exchange:      aspmx3.googlemail.com

The Google entries are related to the Google Apps for Business account that the business has, so that if the onsite mail server goes down or is otherwise unavailable, correspondents can send email to (one of) the Google Apps for Business MXs, which will accept and hold it until collected, thus providing a backup mail server.

So, if I understand correctly, that means that valid sources of email for example.com are:

1) All sources that appears as an MX in the DNS records of example.com (being remote.example.com plus Google's mail servers as outlined above)

2) Any server with a source IP of 333.333.333.333

3) Any server that is located at remote.example.com

4) Any source that meets the criteria that cmail1.com (a third party provider that sends out newsletters I believe) has in their SPF record (not entirely sure on that)

If an email is being sent from any source that fails to meet one of those four criteria, then it fails, and should be rejected (assuming the recipient server is checking the SPF record).

Question 1 - Have I got the above right?  No points awarded for trivia / terminology, but have I seriously missed or misunderstood anything - point four perhaps?

Question 2 - Should we remove the 'MX' entry from the SPF txt record?  It seems we *should* so that spam cannot be sent out from Google's servers purporting to be from example.com, but passing an SPF check.  On the other hand, if Google have their services set up in such a way that a spammer is unable to spoof the sender's domain when sending out from Google's servers, then having the 'MX' entry in the SPF record should do no harm and it would mean that, in a pinch, the Google Apps account(s) could be used to send out valid email?

Hope that all makes sense, but if not, please do get back to me.


LVL 23
Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
1) Yes, you read it correctly :D

2) That makes sense too, but it depends on if you are using them as outbound relay, for example webmail. Google are usually good about putting a "on behalf of" in the headers if you send though their servers, but conversely, they give out free mail accounts.  Depends on if the risk of someone using google as a spam relay (which is honestly quite low; google are *very* aggressive about that, and its pretty hard to hide from them. I would find it easier to hide from the NSA) outweighs the convenience of being able to use webmail via Google to send out mail.
AlanConsultantAuthor Commented:
Hi Dave,

Thanks for confirming my understanding.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.