I am trying to set up my SPF records to take into account that I send emails via office365 directly in Outlook etc. as well as in a web app hosted in AWS which sends email to smtp.office365.com (JavaMailSender sends the MIME email to the smtp server for delivery etc)
My SPF record is currently:
v=spf1 include:spf.protection.outlook.com include:amazonses.com include:smtp.office365.com ~all
If I send an email through Outlook, SPF passes and is verified and all is OK.
If my web app sends an email to smtp.office365.com to be sent, SPF is not verified.
What can I do to resolve this?
Is the only way of fixing this by putting a IP address of my web app in the SPF record?
thanks
Best Answer
It sounds like JavaMailSender can do authorized SMTP, so if office 365 supports it, use that. The username and password should bypass Office 365's SPF check (just like it would for other authenticated smtp clients like outlook or thunderbird, etc) and then, if it wasn't the final destination for the mail, the office 365 server is the one verified with SPF so you should already be good there.
or, use SES. you didn't acutally mention ses in your question, but the same thing applies - you can smtp auth to ses and have it relay your mail. SES is AWS's email sending service. The business decision of which is preferable is of course far outside the scope of your question.
That would work too, but it's unmaintainable because every new server will have to have its IP address in the SPF record. In AWS IPs change (only when a server without EIP is stopped) and once they're freed from an instance they can be used on another instance, which are some of the reasons I recommend against trying to add into SPF the ips of all servers who might one day send mail. Putting SMTP credentials on the servers makes more sense, and scales better because new servers have to be configured anyway, but SPF doesn't have to change often.