SPF Records - Interaction with alternative (backup) MX

Hi All,

I have a situation where we have a domain with an SPF record akin to this (using example.com):

v=spf1 mx ip4:333.333.333.333  a:remote.example.com include:cmail1.com -all

The MX records are as follows (actuals except using example.com):

preference:      5
exchange:      remote.example.com

preference:      10
exchange:      aspmx.l.google.com

preference:      20
exchange:      alt1.aspmx.l.google.com

preference:      30
exchange:      aspmx2.googlemail.com

preference:      30
exchange:      aspmx3.googlemail.com


The Google entries are related to the Google Apps for Business account that the business has, so that if the onsite mail server goes down or is otherwise unavailable, correspondents can send email to (one of) the Google Apps for Business MXs, which will accept and hold it until collected, thus providing a backup mail server.


So, if I understand correctly, that means that valid sources of email for example.com are:

1) All sources that appears as an MX in the DNS records of example.com (being remote.example.com plus Google's mail servers as outlined above)

2) Any server with a source IP of 333.333.333.333

3) Any server that is located at remote.example.com

4) Any source that meets the criteria that cmail1.com (a third party provider that sends out newsletters I believe) has in their SPF record (not entirely sure on that)


If an email is being sent from any source that fails to meet one of those four criteria, then it fails, and should be rejected (assuming the recipient server is checking the SPF record).


Question 1 - Have I got the above right?  No points awarded for trivia / terminology, but have I seriously missed or misunderstood anything - point four perhaps?

Question 2 - Should we remove the 'MX' entry from the SPF txt record?  It seems we *should* so that spam cannot be sent out from Google's servers purporting to be from example.com, but passing an SPF check.  On the other hand, if Google have their services set up in such a way that a spammer is unable to spoof the sender's domain when sending out from Google's servers, then having the 'MX' entry in the SPF record should do no harm and it would mean that, in a pinch, the Google Apps account(s) could be used to send out valid email?


Hope that all makes sense, but if not, please do get back to me.

Thanks,

Alan.
LVL 24
AlanConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
1) Yes, you read it correctly :D

2) That makes sense too, but it depends on if you are using them as outbound relay, for example webmail. Google are usually good about putting a "on behalf of" in the headers if you send though their servers, but conversely, they give out free mail accounts.  Depends on if the risk of someone using google as a spam relay (which is honestly quite low; google are *very* aggressive about that, and its pretty hard to hide from them. I would find it easier to hide from the NSA) outweighs the convenience of being able to use webmail via Google to send out mail.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlanConsultantAuthor Commented:
Hi Dave,

Thanks for confirming my understanding.

Alan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.