SPF record for media temple domain and google together

g-suitespf

Hello I'm trying to add an SPF record for our MT dv server as per this tutorial:

http://kb.mediatemple.net/questions/658/How+can+I+create+an+SPF+record+for+my+domain%3F#gs

Which instructs me to add the record:

v=spf1 a:example.com/20 include:adelphia.net ~all

The problem is half our office uses gmail to send emails and I want to make sure google is included as a safe domain. So I have this: 

v=spf1 a:example.com/20 include:_spf.google.com ~all

I also saw someone suggest not using ~all but -all to limit the mail to come only from these 2 servers.

So would this record be the correct record for sending emails by using only our example.com mail server and the gmail server:

v=spf1 a:example.com/20 include:_spf.google.com -all

Best Answer

Yeah, that's right - though you probably don't have a /20, so you'll want to adjust the prefix length there. If just that server will be sending mail, then you can drop the CIDR subnet specification completely.

The difference between the ~ and the - is that ~ is "softfail" (while - is fail) - it's supposed to just mark the message as "failed" but still allow it, as a tool for transitioning into the use of SPF.

So, from a given SPF record, every sender address will be grouped into one of four states:

  • + - allow
  • ? - neutral
  • ~ - softfail
  • - - deny

You can use these states to essentially dictate a scale of whether someone should accept mail that purports to be from your domain, depending on the sender. For instance, if you wanted to mark mail from your subnet as neutral ("These shouldn't be sending mail, but in the off chance they do, it's probably legit") and your mail server as allowed with something like ?ip4:192.0.2.0/24 +ip4:192.0.2.25 (or, to match with the MediaTemple example, ?a:example.com/24 +a:example.com).

In practice, a lot of domains use ~ permanently because they're not really certain that no mail should come from outside their defined networks (some external services will spoof your addresses for legitimate use, for instance). But it's not completely benign; some email systems use it as a criteria in their spam scoring, for instance.

Related Topic