{v=spf1 exists:%{i}._spf.mta.salesforce.com -all}

I'm trying to find more info on the SPF record for spf.salesforce.com.  It is in a format I'm not familiar with:

PS C:\Users\jason.crawford> Resolve-DnsName -Name _spf.salesforce.com -Server -Type txt

Name                                     Type   TTL   Section    Strings
----                                     ----   ---   -------    -------
_spf.salesforce.com                      TXT    2982  Answer     {v=spf1
                                                                 exists:%{i}._spf.mta.salesforce.com -all}

Open in new window

LVL 18
Jason CrawfordTransport NinjaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
        "v=spf1 include:_spf.google.com include:_spf.salesforce.com  include:spf.mandrillapp.com exists:%{i}._spf.corp.salesforce.com ~all"

Open in new window

I believe you're asking about

This is one of types define a verification mechanism

ip4 - use IP Version 4 addresses, for example, for verification
ip6 - use IP Version 6 addresses for verification, for example, 2001:db8::10 for verification
a - use DNS A RRs for verification
mx - use DNS MX RRs for verification
ptr - use DNS PTR RRs for verification
exists - test for existence of domain

The existence (any valid A RR) of the specified domain allows the test to pass. Domain may use macro-expansion features.

Note: RFC 7208 Appendix C suggests a method by which the exists sender mechanism (in conjunction with a macro expansion) may be used to log DNS queries for every mail transaction and which may help in diagnosing SPF problems. While this indeed may be the case, it also may, depending on the mail volume being sent, generate significant DNS loads. Your choice.

You can read more here::
DrDave242Principal Support EngineerCommented:
The %{i} macro resolves (expands? whatever the right word is...) to the IP address of the server attempting to send a message, so if the sending server's IP address is, then %{i}._spf.mta.salesforce.com would be If a DNS record of that name exists, the SPF check passes.

Seems like a convoluted way to do it, but if it works, it works, and I assume Salesforce knows what they're doing.
Jason CrawfordTransport NinjaAuthor Commented:
@Tom - thank you that helps.  I see %{i} denotes the following:

"sender-ip The IP of SMTP server sending mail for user, say, info@example.com"

That's a little vague.  Our email domain includes _spf.salesforce.com as a TXT record.  If I query the TXT value for _spf.salesforce.com, I see it resolves to {v=spf1 exists:%{i}._spf.mta.salesforce.com -all}.  Given the information I'm working with, what IP or CIDR range can I resolve this down to?
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Jason CrawfordTransport NinjaAuthor Commented:
@DrDave - Yes I assume an organization as large as SF is getting it right as well which is why I want to fully understand what is happening.  In my example, I would actually need to gather an email sent by SF to gather the sending IP which I could then plug into <IP>._spf.mta.salesforce.com, correct?  Would this be an A record?  PTR maybe?
DrDave242Principal Support EngineerCommented:
In my example, I would actually need to gather an email sent by SF to gather the sending IP which I could then plug into <IP>._spf.mta.salesforce.com, correct?  Would this be an A record?  PTR maybe?

That's correct. If I understand the exists mechanism correctly, it'll be an A record.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason CrawfordTransport NinjaAuthor Commented:
Thank you both.
nociSoftware EngineerCommented:
the %{i} will cause a lot less addresses that need to be mentioned in includes.. (there are a limited amount of includes)
Appearantly SalesForce has a lot of address that cannot easily be captured in a few network ranges.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.