bleggee
asked on
Email SPF Record Use & Syntax questions
I want to use 1 SPF record for a site that will work for Gmail and self-hosted email.
My hosting company gave me this:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xx3 +ip4:xxx.xxx.xxx.xx4 ~all
AND Google gave me this:
include:_spf.google.com
So making 1 SPF record out of the two, I write as this:
v=spf1 +a +mx +ip4:209.124.75.223 +ip4:209.124.75.224 include:_spf.google.com ~all
IS THIS CORRECT? Note that:
1. The basic SPF syntax checkers tell me that is correct (I I start thinking that I am GOOD)
2. The Email Header of an email received by Gmail from the above domain says "SPF Neutral (Google.com: xxx.xxx.xxx.xx3 is neither permitted nor deniedby best guess record for domain of info@myexample.com) smtp.mailfrom=info@myexamp le.com (Now I am thinking that I am NOT GOOD!)
3. I am also confused as the difference between using "include" vs. "+include" vs. "ip4:" vs. "+ip4"
Thanks in advance for any help with this !!
- B
My hosting company gave me this:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xx3 +ip4:xxx.xxx.xxx.xx4 ~all
AND Google gave me this:
include:_spf.google.com
So making 1 SPF record out of the two, I write as this:
v=spf1 +a +mx +ip4:209.124.75.223 +ip4:209.124.75.224 include:_spf.google.com ~all
IS THIS CORRECT? Note that:
1. The basic SPF syntax checkers tell me that is correct (I I start thinking that I am GOOD)
2. The Email Header of an email received by Gmail from the above domain says "SPF Neutral (Google.com: xxx.xxx.xxx.xx3 is neither permitted nor deniedby best guess record for domain of info@myexample.com) smtp.mailfrom=info@myexamp
3. I am also confused as the difference between using "include" vs. "+include" vs. "ip4:" vs. "+ip4"
Thanks in advance for any help with this !!
- B
Ip4 should contains all sending server ips of non google solution
Remember you have to allow tour DNS TTL to expire before your new record is used.
For a quick check:
mtoolbox spf checker is a fancy tool to check your SPF record - moreover, it gives detailed explanations on each entry. Make sure you try it!!
SPF reference here (openspf)
+ :Default qualifier, if omitted, is + so
include:_spf.google.com searches _spf.google.com domain for allowed SPF senders
MX is used when you want to specify IPs of MX records of sender domain (allows to change MXes without changing SPF RR) - in your case is probably redundant but no harm done.
A is used when you want to specify all A RR of sender domain. In your case allows all IPs of your domain to pass SPF validation when sending email. Your hosts do send emails (maybe a internal relay server who needs to send email to the world)? Does any host other than google's send email on behalf og your domain? yes,keep it. No, delete it.
To print SPF record of example.com along with associated TTL:
For a quick check:
mtoolbox spf checker is a fancy tool to check your SPF record - moreover, it gives detailed explanations on each entry. Make sure you try it!!
SPF reference here (openspf)
+ :Default qualifier, if omitted, is + so
+mx
and
mx
are equivalent.include:_spf.google.com searches _spf.google.com domain for allowed SPF senders
MX is used when you want to specify IPs of MX records of sender domain (allows to change MXes without changing SPF RR) - in your case is probably redundant but no harm done.
A is used when you want to specify all A RR of sender domain. In your case allows all IPs of your domain to pass SPF validation when sending email. Your hosts do send emails (maybe a internal relay server who needs to send email to the world)? Does any host other than google's send email on behalf og your domain? yes,keep it. No, delete it.
To print SPF record of example.com along with associated TTL:
dig TXT example.com | grep spf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
~all still means ANY mailserver is allowed as Sender for that domain... and other references need to be used to validate.
-all would mean block any other sender...
-all would mean block any other sender...
MX should be used when same servers receiving emails would be used to send emails out which is not the case in case of google i believe
If mx is specified, it will resolve to A record and that A record would be checked for reverse dns and any failure in resolution may create issues if records not configured correctly
Hence use ip4 with all IPs and included lookups from Google
Check how O365 SPF record is constructed