How to configure an SPF record to allow all hostnames (A records) under the domain

domain-name-systememailemail-servermx-recordspf

Assume I have a domain, foo.com, that I am configuring the SPF records for.

Assume that I have dozens of mail servers (all running on *.foo.com) that I will be sending emails from.

These mail servers will NOT be included in the MX entry of my domain; the MX records are different as we have separate incoming servers.

How do I go about configuring an SPF record to whitelist my email sending servers?

I have looked into the ptr flag but it seems to be not recommended because "it adds overhead and exposes the domain to unauthorized third-parties"

Best Answer

You could use a mechanism with dedicated subdomain e.g.

example.com. IN TXT "v=spf1 a:mailers.example.com -all"

and then introduce all your mail servers in DNS, e.g.

mailers.example.com. IN A 198.51.100.23
mailers.example.com. IN A 198.51.100.50
mailers.example.com. IN A 203.0.113.40

This allows you to just add new DNS A record every time you add a new mail server, without a need to modify SPF every time i.e. add a new ip4 mechanism.

Things gets much more easy if the mail servers are on the same subnets, i.e. you just add server capacity but don't get new IP addresses from different ISPs. Many mechanism has a subnet prefix in its syntax, but I'd recommend using ip4 (and ip6) for this, e.g.

example.com. IN TXT "v=spf1 ip4:198.51.100.0/24 -all"

Best Answer

Related Solutions

How to make a proper SPF record(s) for a complex setup

SPF record for media temple domain and google together

Related Topic