DNS zone file SPF configuration to support sending mail from multiple servers and gmail


I want to configure SPF on a domain to allow mail to be sent from:

  • the x.com website server (x.com and www.x.com – both at same IP)
  • its MX servers (smtp.x.com, mx.x.com, mail.x.com)
  • another server that isn't listed as an MX server (somehost.x.com)
  • via gmail using an account that has authenticated use of something@x.com

Will this zone file work? If not, what are the problems with it?

$ttl 38400
@           IN      SOA     ns1.x.com. hostmaster.x.com.  (
                                      201003092 ; serial
                                      8H    ; refresh
                                      15M   ; retry
                                      1W    ; expire
                                      1H )  ; minimum
@           NS  ns1.x.com.
@           NS  ns2.x.com.

@           MX  10 mx.x.com.
@           MX  20 smtp.x.com.
@           MX  30 mailhost.x.com.

; SPF records
@          IN      TXT "v=spf1 a mx a:somehost.x.com include:_spf.google.com ~all"
mx         IN      TXT "v=spf1 a -all"
smtp       IN      TXT "v=spf1 a -all"
mailhost   IN      TXT "v=spf1 a -all"


  1. Is _spf.google.com the right thing to include for gmail.com, or is it only for Google Hosted Apps? If only for Google Apps, what should I include to send from gmail.com?
  2. If mail shouldn't be sent from anywhere else, is it safe to use -all instead of ~all?
  3. Does it make sense to add specific SPF records for each of the mail servers?
  4. Any other problems with the zone file?

I want to confirm these things before making changes to my zone file. The file has SPF configured basically the same now, just without google.com and somehost, but I want to make sure I won't break things when I change it.

Best Answer

Checkout the wizard on openspf.org to help you write the correct SPF settings: http://old.openspf.org/wizard.html?mydomain=x.com

Aside from that, your SPF settings look fine to me for this use.

You are correct to include a SPF record for each of the MX hosts too. These are used in case email is bounced with a null address (in the SMTP protocol), then SPF falls back on using the sending server's address.

If you're certain that no other servers may send mail for your domain, then you should use -all. Of course, this means that any email sent from other servers may be rejected, if they're turns out to be some!