SPF records for SMTP service

smtpspf

Please help me to create SPF record that will be helpful to validate my outgoing mail. Here is my server environment.

We hosted an application at one hosting provider. Though he provided mail services, we are not using it. Instead we are using GoogleApps for official mail purpose. For this we already configured SPF record as "v=spf1 include:_spf.google.com ~all".

Along with this we have newly configured another SMTP server to use it for sending newsletters, promotional mails to our website visitors, as there are some limitations in usage of number of emails per day with GoogleApps.

We want to have both email services: GoogleApps and new SMTP server. In such cases, how can we create SPF record mentioning both IP addresses? Here is my new SMTP server IP: 45.23.77.65

Thanks in advance,
Max

Best Answer

In order for SPF to be any real benefit, you need to aim for a -all default action. To do this you need to ALWAYS use your designated mail servers to handle your mail, which isn't too hard, but means in particular that home users can't use their ISPs mail servers, which in turn means they need to use SSL/TLS (or non-standard ports) as so many ISPs block port 25 other than to their own servers.

It's considered courteous to list explicit IPs first since they require no addtional DNS lookups (so they're faster too) and SPF rules are evaluated left to right. For a single IP, you don't need the /32 on the end as that's implicit. All in all,

v=spf1 ip4:45.23.77.65 include:_spf.google.com -all

Having done that, create a SenderID record containing this:

spf2.0/pra

This says that you don't publish any "purported responsible address" records (which are somewhat broken anyway), but also makes SenderID defer to SPF for permitted mail sources. This syntax is functionaly identical to the suggested spf2.0/pra ?all that Microsoft's somewhat buggy wizard will suggest. When you're done, register your domain with Microsoft. This will mean that hotmail and friends subscribe to your DNS explicitly, again helping mail get delivered faster.

I'd steer clear of MS' wizard for spf1 records; the openspf one is more reliable. Remember that SenderID (a.k.a. SPF 2.0) does not in any way replace or obsolete standard SPF; you should use both (and DKIM while you're at it, though that's harder).

Related Topic