OK…so I have a hosting account with Media Temple and recently had problems with mail servers marking my sent emails as SPAM. I looked into the issue and read it's a good idea to implement SPF which is what I did but here is the issue: my MX record (mail.mydomain.com) in my DNS is set to point to an IP address – let's just say 10.0.0.1 for example – but during the course of looking into why I was getting blacklisted by ISP's I found that my outgoing emails were being sent from a different IP – let's just say 10.0.0.2 – than what is listed in my DNS MX entry. From what I can tell this is the reason my messages were getting flagged: the originating IP was not part of the DNS record anywhere.
So – I went into my SPF record which previously only had an a:mydomain.com entry and added an ip4 entry that listed the outgoing mail server's IP (e.g. ip4:10.0.0.2). From what I gathered this tells receiving mail servers that emails originating from my domain are authorized to go out over that IP. Great…not getting any more hard fails…I'm passing all the SPF tests I run on the domain…everything seems OK.
But – out of curiosity I ask the Media Temple support person if that outgoing mail server IP will ever change…they respond that yes it will occasionally change. Obviously when that happens my SPF record won't work anymore. So my question is how do I mitigate this risk of having them change the outgoing server IP on me and then I'm sending emails that fail SPF checks? Am I screwed here or is there something I can do with either the SPF record or another DNS entry that will prevent that from happening?
Here is what my current SPF looks like:
v=spf1 ip4:10.0.0.2 a:mydomain.com/20 -all
Best Answer
The best option is to use the information provided on the (mt) Media Temple KnowledgeBase for creating an SPF record. This will ensure that no matter what may happen with the mail IP in the future, your SPF will have you covered. Here is that article:
https://kb.mediatemple.net/questions/658
I also want to let you know that the mail IP is different from the web IP, assuming you're on the (gs) Grid-Service. This is because mail is hosted on a different set of physical servers. So, if you have scripts on your websites that also send out mail, ensure you add *.gridserver.com to the SPF, as well.
Now for my full disclosure: I work at (mt) Media Temple.