I have a domain name, say example.com, and many servers (potentially hundreds), each with a public IP and a sub domain (sub1.example.com, sub2.example.com, etc.).
Each server hosts a Postfix installation. The goal here is to be able to send emails from any server (not to receive emails). There's however no email server attached to the main domain itself (example.com)
Now I'm trying to setup the SPF entries in the DNS, but I'm a bit stuck.
I've tried many combinations but they always end up with a SPF SOFTFAIL when trying to send an email to gmail. Also, how to workaround the limitations on the length of the SPF record with that many servers/IP is unclear to me.
Adding some more context (even though I've accepted Bob's answer).
The idea is to have a very redundant architecture, where any server can fail and the system as a whole will keep working (at least for email sending). I don't have control on the range of IP addresses : the servers will be provisioned in multiple countries and with multiple providers.
I've tried defining an SPF entry for the main domain name only.
600 IN TXT "v=spf1 mx ~all"
When sending to Gmail I get a SOFTFAIL error for SPF validation, the email being sent from a subdomain (like sub1.domain.com)
I then tried to add the sender IP address in the record:
600 IN TXT "v=spf1 mx ip4:server_ip ~all"
But I end up with the same SOFTFAIL error.
Also tried to add another SPF entry for the subdomain, but as far as I understand, only one SPF entry should be created :-/
I also tried to include: the domain names, with the same result.
Any help or guidance would be appreciated 🙂
Best Answer
Your description of your use case is not complete enough. But if your goal is to send email from
*@example.comfrom any of those servers, then the SPFptrmechanism is designed precisely for this use case.You would set up proper reverse DNS 1.2.3.4 → sub1.example.com → 1.2.3.4, for each of the subdomain servers.
Then you would install the following SPF record at the main domain example.com:
That is all.
The advantage of this over other approaches is that it is easy to set up, does not run into lookup limits, and scales to an arbitrary number of subdomain hosts.
The disadvantage is that it is somewhat at odds with the prescriptions of the SPF RFC: RFC 7208 discourages use of the
ptrmechanism. However, an argument can be made that the wording there is too severe, and given your use case usage ofptris acceptable. See also my question 1063826.