I have a situation where we have a domain with an SPF record akin to this (using example.com):
v=spf1 mx ip4:333.333.333.333 a:remote.example.com include:cmail1.com -all
The MX records are as follows (actuals except using example.com):
The Google entries are related to the Google Apps for Business account that the business has, so that if the onsite mail server goes down or is otherwise unavailable, correspondents can send email to (one of) the Google Apps for Business MXs, which will accept and hold it until collected, thus providing a backup mail server.
So, if I understand correctly, that means that valid sources of email for example.com are:
1) All sources that appears as an MX in the DNS records of example.com (being remote.example.com plus Google's mail servers as outlined above)
2) Any server with a source IP of 333.333.333.333
3) Any server that is located at remote.example.com
4) Any source that meets the criteria that cmail1.com (a third party provider that sends out newsletters I believe) has in their SPF record (not entirely sure on that)
If an email is being sent from any source that fails to meet one of those four criteria, then it fails, and should be rejected (assuming the recipient server is checking the SPF record).
Question 1 - Have I got the above right? No points awarded for trivia / terminology, but have I seriously missed or misunderstood anything - point four perhaps?
Question 2 - Should we remove the 'MX' entry from the SPF txt record? It seems we *should* so that spam cannot be sent out from Google's servers purporting to be from example.com, but passing an SPF check. On the other hand, if Google have their services set up in such a way that a spammer is unable to spoof the sender's domain when sending out from Google's servers, then having the 'MX' entry in the SPF record should do no harm and it would mean that, in a pinch, the Google Apps account(s) could be used to send out valid email?
Hope that all makes sense, but if not, please do get back to me.