Adding an SPF record for a 3rd party, but don’t have one for the own domain

emailspf

We have a 3rd party service sending some email on our behalf. They are using our domain name in their outgoing emails. They have requested we configure an SPF record for them.

We do not currently have an SPF record defined for our own domain, which is the same one the 3rd party is "spoofing".

My concern is that if we add a record for a 3rd party without defining our own as well that mail originating from our servers could be rejected.

Is my concern valid?

Best Answer

If you have no SPF record then receivers will generally fail safe and accept your email (although that's starting to change). As soon as you provide an SPF record you must include all legitimate mail senders, because otherwise the ones not listed could be treated as possible forgery sources.

Strictly speaking, you can include ~all or ?all and avoid listing all your mail senders, but if you do that you won't get any benefit from the SPF record other than for testing that it's otherwise accurate.

Ideally your third parties will already have a generic SPF record and you can just add the include:spf.thirdparty.dom element to your record. If they don't you might well want to create your own record for them and chain it youself anyway, so that it's easy for you manage administratively.

For example, if you are contoso.com:

thirdparty1.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
thirdparty2.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
spf.contoso.com txt 'v=spf1 ... -all'             # list your mail senders
contoso.com txt 'v=spf1 include:spf.contoso.com include:thirdpart1.spf.contoso.com include:thirdparty2.spf.contoso.com -all'

Some useful resources:

Related Topic