<div>
Should be fine given the information provided.
</div>


<div>
No you should be fine with your plan based on your comments. There should be no conflicts an no changes are required to made on the Exchange server for SPF records. Also you can test the spf to make sure its syntax is valid at the below link:<br />
<br />
<a href="http://www.kitterman.com/spf/validate.html" rel="ugc">http://www.kitterman.com/spf/validate.html</a>
</div>


<div>
if the IP addres is in the MX record then don;t mention the IP ... or not mention MX. There is a lookup limit of max. 10 lookups per check.<br />
<br />
as far as I can tell google uses: _spf.google.com<br />
what is the domain used in the mail: &nbsp; school.fj or mail.aaa.com or aaa.com...<br />
or mail.aaa.school.fj.<br />
the spf record should be a txt &nbsp;in the domain used in the mail addresses.
</div>


<div>
Google support has provided the aspmx.l.google.com as the gsuite mail servers. Should the format change<br />
<br />
include:aspmx.l.google.com<wbr /><br />
<br />
The above says that google is allowed to send email on my domain as well if i am right. or will it be _spf.google.com<br />
<br />
Seeking clarification<br />
<br />
I want to allow<br />
<br />
First domain mail.aaa.com &nbsp;public Ip 5.6.7.8 to be able to send &nbsp;to and from Second domain mail.bbb.com public Ip 1.2.3.4 and vice versa
</div>


<div>
dig txt aspmx.l.google.com &nbsp;<br />
fails to provide any spf info record. <br />
<br />
include tells the tool that is looking up an spf record, to also consider the txt records on that name. (compare it to <br />

<pre><code class="code-10 nolinks" id="code-20-42473082-1"><span>$ dig txt _spf.google.com</span>
<span>;; OPT PSEUDOSECTION:</span>
<span>; EDNS: version: 0, flags:; udp: 4096</span>
<span>; COOKIE: 31a28e169f602ca204f3eafd5a896252a28ef6ee0ca1816f (good)</span>
<span>;; QUESTION SECTION:</span>
<span>;_spf.google.com.               IN      TXT</span>
<span></span>
<span>;; ANSWER SECTION:</span>
<span>_spf.google.com.        187     IN      TXT     &quot;v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all&quot;</span>
<span></span>
<span>;; AUTHORITY SECTION:</span>
</code></pre>
and then the same for the netblocks....<br />
<br />
if mail addresses are: blahblah@mail.aaa.com and boehboeh@mail.bbb.com<br />
mail.aaa.com &nbsp; &nbsp; &nbsp; TXT &nbsp;&quot;v=spf1 ip4:5.6.7.8 include:&lt;google-record&gt; ~all&quot;<br />
mail.bbb.com &nbsp; &nbsp; &nbsp; TXT &nbsp;&quot;v=spf1 ip4:1.2.3.4 include:&lt;google-record&gt; ~all&quot;<br />
<br />
if mail addresses are: whoever@whatever.example.c<wbr />om then SPF is:<br />
whatever.example.com &nbsp;TXT &quot;v=spf1 ip4:5.6.7.8 ip4:1.2.3.4 include:&lt;google-record&gt; ~all&quot;
</div>


<div>
<blockquote>
I want to allow<br />
<br />
First domain mail.aaa.com &nbsp;public Ip 5.6.7.8 to be able to send &nbsp;to and from Second domain mail.bbb.com public Ip 1.2.3.4 and vice versa 
</blockquote>
<br />
mail.aaa.school.fj. IN TXT &quot;v=spf1 ip4:5.6.7.8 ip4:1.2.3.4 a:mail.aaa.school.fj a:mail.bbb.school.fj include:aspmx.l.google.com<wbr /> -all&quot;<br />
mail.bbb.com IN TXT &quot;v=spf1 redirect=mail.aaa.school.f<wbr />j&quot;<br />
<br />
if mail.xxx.school.fj point to the above mentioned ips, you can either remove them or remove the ips. you don't need both<br />
don't use &quot;a&quot; alone when you use includes or redirections<br />
<br />
you may also need to change the google part as per above recommendations<br />
<br />
you can also copy-paste the record for aaa in bbb or setup a 3rd record and redirect both aaa and bbb to that record. it's mostly a matter of what you're more comfortable to maintain
</div>


<div>
It makes no sense to include extra lookups that give the same result: &nbsp;if ip of mail.aaa.com = 5.6.7.8 then &nbsp; including both ip4:5.6.7.8 a:mail.aaa.com &nbsp;is doing the SAME check twice at the expense of an extra lookup. &nbsp;Unless you doubt mathematics this makes no sense.<br />
If you doubt mathematics then using ICT at all makes no sense.<br />
<br />
Bottom line of SPF is that the IP address of the mail-sender can be linked to the domain name mentioned in the SENDER's address.<br />
so a lookup by the receipient system of a mail sent by whoever@whatever.example.c<wbr />om leads to a TXT lookup of whatever.example.com<br />
If in the collection there is a RR starting with &quot;v=spf1&quot; then te remainder of that record is considered a send policy framework description.<br />
<br />
This is disected to find if the sending system is a known sender for this domain, if the IP address is in the list the mail is acceptable. depending on - + of ~ prefix.<br />
Unusual: is &nbsp;-ip4 or -ip6..., or +all (the latter is an invite for backscatter spam or for your addresses being used as senders in spam).<br />
no records is to be taken as ~all &nbsp; (decide on other checks).<br />
<br />
lookups are limited to 10 requests: every mx, a, ptr, include, redirect is an extra lookup.
</div>


<div>
Thanks everyone<br />
<br />
is the following ok now<br />
For aaa.com (my google domain emails that go to my exchange server first)<br />
mail.aaa.school.fj. IN TXT &quot;v=spf1 mx a ip4:1.2.3.4 &nbsp;include:_spf.google.com ~all&quot;<br />
<br />
Please clarify. As per google Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all<br />
<br />
Publishing an SPF record that uses -all instead of ~all provides stricter security, but may result in delivery problems. See Google IP address ranges for details about the addresses for the G Suite mail servers. <a href="https://support.google.com/a/answer/178723?hl=en&ref_topic=2759192" rel="ugc nofollow">https://support.google.com/a/answer/178723?hl=en&ref_topic=2759192</a><br />
<br />
Should i use - or ~ Google says to use ~ where as the above discussions say otherwise<br />
<br />
For bbb.com public Ip 5.6.7.8 (emails hosted on my exchange server)<br />
mail.bbb.com IN TXT &quot;v=spf1 redirect=mail.aaa.school.f<wbr />j&quot;
</div>


<div>
that depends...., what will be the email address used as sender:.....<br />
<br />
so your email addresses are: &nbsp; &nbsp; someuser@mail.aaa.school.f<wbr />j<br />
and someotheruser@mail.bbb.com<wbr />?<br />
<br />
because those are the domains that you created the above SPF records for,,,, (note that hostnames are irrelevant for SPF, it is about sender mail addresses).
</div>


<div>
following noci and assuming you want records for xxx.com and not mail.xxx.com<br />
<br />
if you want mail.bbb.com to work properly, you should use a:mail.bbb.com in the record rather than a or mx. the interpretation of &quot;a&quot; or &quot;mx&quot; is not reliable with redirects and additionally difficult to maintain.<br />
<br />
adding &quot;mx&quot; is useless since mail.xxx.com is most likely your mx anyway and is already stated<br />
<br />
adding &quot;a&quot; most likely the ips of xxx.com rather than mail.xxx.com to be able to send email. is that what you want ?<br />
<br />
you do not mention 5.6.7.8 nor mail.bbb.com so you did not allow the second server<br />
<br />
ending in ~all rather than -all instructs remote servers to soft bounce ( rely with 4xx, please retry later ) any email that does not validate the spf record properly rather than a &nbsp;( 5xx trash the email and send a dsn ). anyway most servers will do whatever they want including but not limited to trash any non matching email without bothering to warn the sender and rely with 4xx anyway. bottom line is don't get mixed up in the configuration but don't bother too much about - or ~. ~ is a bit safer during the adjustment phase.
</div>


<div>
Hi Everyone <br />
<br />
What is the best practice when it comes to specifying spf records for multiple as well as single domains as we own 2 domains one of which is google but mails get delivered to us first then it goes to google<br />
<br />
Can someone please provide an example so that i can use that to make my own SPF record<br />
<br />
I am getting confused with conflicting solutions
</div>


<div>
best practice for a single server hosting multiple domains is to setup a single spf field on a separate domain and redirect/include that record in &nbsp;all other hosted domains' spf records<br />
<br />
best practice for more complex setups is dependant on each use case<br />
<br />
if you have a separate domain available such as one specific to mail.xxx you probably should set ta record in this domain and include/require it in other records<br />
<br />
if you don't and/or mail.xxx is the mx record of each domain, you may consider setting up &quot;mx&quot; in each of the hosted domain, and add whatever is google-specific to whichever domain has a google-specific setup and don't bother with includes<br />
<br />
bottom line is you need to make a choice between multiple working setups based on whichever seems easiest to maintain. don't expect anything to be perfect and leave documentation ( if possible in the zone files ) for future admins
</div>


<div>
Does this seem ok<br />
v=spf1 include:_spf.google.com include:mail.aaa.school.fj<wbr /> ~all ---&gt;for the google one<br />
<br />
v=spf1 redirect=mail.bbb.school.f<wbr />j--&gt;for the other domain<br />
<br />
please confirm
</div>


<div>
is the include:mail.aaa.school.fj<wbr /> &nbsp; &nbsp; a txt v=spf1 record? &nbsp;if yes the ok, if NO well eh... no.<br />
is mail.bbb.school.fj an v=spf1 &nbsp;txt record? like previous....<br />
<br />
I get more and more confused about what you attempt to do.... Please checkout the accepted solution there all 4 possible base cases are mentioned. &nbsp;(singe/multiple domains from single/multiple servers).
</div>


<div>
<div class="content wysiwyg-content">
Hi All<br />
<br />
I have 2 domains for which i want to setup spf record. both are on different public IPs. I am sending emails from both domains via one exchange server 2010<br />
<br />
First domain mail.aaa.com &nbsp;public Ip 5.6.7.8<br />
Second domain mail.bbb.com public Ip 1.2.3.4<br />
For aaa.com<br />
mail.aaa.school.fj. IN TXT &quot;v=spf1 mx a ip4:1.2.3.4 a:mail.bbb.school.fj &nbsp;include:aspmx.l.google.com<wbr /> -all&quot;<br />
<br />
For bbb.com public Ip 5.6.7.8<br />
mail.bbb.com IN TXT &quot;v=spf1 mx a ip4:5.6.7.8 a:mail.aaa.school.fj -all&quot;<br />
<br />
Will this cause any conflicts or is it correct?<br />
<br />
Do i need to make any changes on my exchange 2010 server after the above record is published by ISP?
</div>
</div>


Hi All

I have 2 domains for which i want to setup spf record. both are on different public IPs. I am sending emails from both domains via one exchange server 2010

First domain mail.aaa.com  public Ip 5.6.7.8
Second domain mail.bbb.com public Ip 1.2.3.4
For aaa.com
mail.aaa.school.fj. IN TXT "v=spf1 mx a ip4:1.2.3.4 a:mail.bbb.school.fj  include:aspmx.l.google.com -all"

For bbb.com public Ip 5.6.7.8
mail.bbb.com IN TXT "v=spf1 mx a ip4:5.6.7.8 a:mail.aaa.school.fj -all"

Will this cause any conflicts or is it correct?

Do i need to make any changes on my exchange 2010 server after the above record is published by ISP?

SPF record for 2 domains using one exchange server

Public DNS

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Exchange

Various techniques are used to prevent email spam (unsolicited bulk email). No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email (false positives) vs. not rejecting all spam (false negatives) - and the associated costs in time and effort. Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by email administrators, those that can be automated by email senders and those employed by researchers and law enforcement officials.

AntiSpam

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.