I want to configure SPF on a domain to allow mail to be sent from:
- the x.com website server (x.com and www.x.com – both at same IP)
- its MX servers (smtp.x.com, mx.x.com, mail.x.com)
- another server that isn't listed as an MX server (somehost.x.com)
- via gmail using an account that has authenticated use of something@x.com
Will this zone file work? If not, what are the problems with it?
$ttl 38400
@ IN SOA ns1.x.com. hostmaster.x.com. (
201003092 ; serial
8H ; refresh
15M ; retry
1W ; expire
1H ) ; minimum
@ NS ns1.x.com.
@ NS ns2.x.com.
@ MX 10 mx.x.com.
@ MX 20 smtp.x.com.
@ MX 30 mailhost.x.com.
; SPF records
@ IN TXT "v=spf1 a mx a:somehost.x.com include:_spf.google.com ~all"
mx IN TXT "v=spf1 a -all"
smtp IN TXT "v=spf1 a -all"
mailhost IN TXT "v=spf1 a -all"
Questions:
- Is _spf.google.com the right thing to include for gmail.com, or is it only for Google Hosted Apps? If only for Google Apps, what should I include to send from gmail.com?
- If mail shouldn't be sent from anywhere else, is it safe to use -all instead of ~all?
- Does it make sense to add specific SPF records for each of the mail servers?
- Any other problems with the zone file?
I want to confirm these things before making changes to my zone file. The file has SPF configured basically the same now, just without google.com and somehost, but I want to make sure I won't break things when I change it.
Best Answer
Checkout the wizard on openspf.org to help you write the correct SPF settings: http://old.openspf.org/wizard.html?mydomain=x.com
Aside from that, your SPF settings look fine to me for this use.
You are correct to include a SPF record for each of the MX hosts too. These are used in case email is bounced with a null address (in the SMTP protocol), then SPF falls back on using the sending server's address.
If you're certain that no other servers may send mail for your domain, then you should use
-all. Of course, this means that any email sent from other servers may be rejected, if they're turns out to be some!