Email SPF Record Use & Syntax questions

I want to use 1 SPF record for a site that will work for Gmail and self-hosted email.

My hosting company gave me this:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xx3 +ip4:xxx.xxx.xxx.xx4  ~all

AND Google gave me this:
include:_spf.google.com

So making 1 SPF record out of the two, I write as this:
v=spf1 +a +mx +ip4:209.124.75.223 +ip4:209.124.75.224  include:_spf.google.com ~all

IS THIS CORRECT? Note that:
1. The basic SPF syntax checkers tell me that is correct (I I start thinking that I am GOOD)
2. The Email Header of an email received by Gmail from the above domain says "SPF Neutral  (Google.com: xxx.xxx.xxx.xx3 is neither permitted nor deniedby best guess record for domain of info@myexample.com) smtp.mailfrom=info@myexample.com (Now I am thinking that I am NOT GOOD!)
3. I am also confused as the difference between using "include" vs. "+include" vs. "ip4:"  vs. "+ip4"

Thanks in advance for any help with this !!
- B
LVL 1
bleggeeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
I believe that you should remove "a" and "mx" and simply keep ip4 and included lookups for Google
MX should be used when same servers receiving emails would be used to send  emails out which is not the case in case of google i believe
If mx is specified, it will resolve to A record and that A record would be checked for reverse dns and any failure in resolution may create issues if records not configured correctly
Hence use ip4 with all IPs and included lookups from Google
Check how O365 SPF record is constructed
0
MaheshArchitectCommented:
Ip4 should contains all sending server ips of non google solution
0
MichelangeloConsultantCommented:
Remember you have to allow tour DNS TTL to expire before your new record is used.

For a quick check:
mtoolbox spf checker is a fancy tool to check your SPF record - moreover, it gives detailed explanations on each entry. Make sure you try it!!

SPF reference here (openspf)

+ :Default qualifier, if omitted, is + so
+mx 

Open in new window

and
mx

Open in new window

are equivalent.

include:_spf.google.com searches _spf.google.com domain for allowed SPF senders

MX is used when you want to specify IPs of MX records of sender domain (allows to change MXes without changing SPF RR) - in your case is probably redundant but no harm done.

A is used when you want to specify all A RR of sender domain. In your case allows all IPs of your domain to pass SPF validation when sending email. Your hosts do send emails (maybe a internal relay server who needs to send email to the world)? Does any host other than google's send email on behalf og your domain?  yes,keep it. No, delete it.

To print SPF record of example.com along with associated TTL:
dig TXT example.com | grep spf

Open in new window

0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

nociSoftware EngineerCommented:
+ means ALLOW
- means DISALLOW
~ means test using other means...
a = a record of domain
mx = the mail receivers of a domain. (should only be mentioned if the mail receivers ALSO send the mail).
ipv4 = ipv4 addresses you want to give a honorable mention
include use also from those records...

so ipv4 = +ipv4 = include this as positive valid send for the domains
  -a would mean the a address on the domain may not send mail.
~all means for all others  check other means (dkim, spam checkers...).   (this should be the assumption if there is NO spf record.
-all would disallow all other addresses.   (should be the ending of the mail SPF after testing showed it worked/
+all would be counter productive, allow anyone to use your domain...
don't forget about ipv6 addresses ..
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mal OsborneAlpha GeekCommented:
The "+" is optional, and usually omitted.

The ~all, is not a pass or fail, but rather a "softfail", meaning ignore SPF, it is not really working. It is kinds like a "Beta Fail"

So, give the record you have, you should see a pass for from email from your something that maps to your domain (A), something that has an MX record for your domain  pointing to it (MX), or 209.124.75.223 or 209.124.75.223. Additionally, any IPs is Googles SPF record should manage a pass.  Anything else should return a softfail.

The "Neutral" being returned is a bit confusing. This means some mechanism matched to A "?" qualifier, but you have none of those in your SPF record, nor does Googles include.

Wikipedia have a quite a good "101 level" explanation of how all this works.
https://en.wikipedia.org/wiki/Sender_Policy_Framework
0
MichelangeloConsultantCommented:
Just to sum up, comments above are consistent with mine. So why are you seeing the error you describe? Probably because if DNS propagation time. Check again now and let us know the outcome. Should the error persist, use a SPF checker such as the one i posted above to exclude issues other than SPF RR contents
0
DrDave242Senior Support EngineerCommented:
The Email Header of an email received by Gmail from the above domain says "SPF Neutral  (Google.com: xxx.xxx.xxx.xx3 is neither permitted nor deniedby best guess record for domain of info@myexample.com) smtp.mailfrom=info@myexample.com (Now I am thinking that I am NOT GOOD!)

Something doesn't match up, because the SPF record you posted above will never return a "neutral" result. The ~all mechanism at the end prevents this. Are you sure the SPF record you posted above is actually the one your domain is using?
0
nociSoftware EngineerCommented:
~all still means ANY mailserver is allowed as Sender for that domain... and other references need to be used to validate.
-all would mean block any other sender...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Google

From novice to tech pro — start learning today.