What are the correct SPF records to allow both local and Google Apps delivery

domain-name-systemg-suitepostfixspf

We have recently moved our server stack to a new data farm, and some of our clients are experiencing issues with mail being sent from their GApps accounts. Before the server move we had no issues, but I suspect that maybe the IP change etc might have some part in this.

We found the issue was that some of the domains had incorrect SPF headers and didn't include the Google SPF records.

I have added TXT records to all the domains with the followingv=spf1 include:_spf.google.com ~all which has solved the issue with deliverability, but I don't understand SPF enough to know if all the TXT records on our DNS template are ok.

If a domain uses Google Apps for sending of mail, we disable the local mail routing for that domain to prevent any internal mails not going through, and all non GApps MX records are deleted.

Currently the following are setup on each domain:

domain.com.      TXT v=spf1 +a +mx -all
domain.com.      TXT v=spf1 include:_spf.google.com ~all
mail.domain.com. TXT v=spf1 ip4:xxx.xxx.xxx.xxx a mx a:mail.domain.com mx:domain.com ?all

So my question(s) are:

Are the above records fine (some SPF tests come back positive, others negative) as a global for all domains that get added to the server?

Can the two domain.com DNS records above be concatenated into one?

Is it OK to have the Google included SPF record for domains that are not sending via Google Apps?

Is it necessary to delete the other TXT record if they are using Google Apps. I don't imagine that it would be necessary to delete the mail.domain.com record as mail doesn't originate from there, but could that cause any issues if present.

We have 100+ domains running on the one server stack and updating them all is not going to be fun, but I would rather it be done correctly.

Thanks in advance.

Best Answer

You should only have one SPF record on a hostname, so you much combine the two into one. SPF is basically a list of mechanism (which match something) and the action to take for that mechanism. You can have as many of these mechanisms in your SPF record as you want. For domain.com you want this:

domain.com. IN  TXT "v=spf1 include:_spf.google.com +a +mx -all"

Which means that the following are checked (with the first matching mechanism being the result).

Fetch the SPF record at _spf.google.com and evaluate it (include:). Google's SPF record looks like this:

_spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Accept if the SMTP client's IP is within an of those IPv4 subnets (ipv4:)
Accept if the SMTP client's IP is an A record for the domain (+a)
Accept if the SMTP client's IP is an MX record for the domain (+mx)
Reject everything (-all)

Your SPF record for mail.domain.com can probably be simplified to this:

mail.domain.com.    IN  TXT "v=spf1 ip4:xxx.xxx.xxx.xxx a mx:domain.com ?all"

Assuming that mail.domain.com doesn't itself have an MX record. If it does have an MX record add the mx term back in (before the all).

Best Answer

Related Solutions

Permerror when testing multiple SPF records for Google Apps and MailChimp

How to include domain mail server along with Google mail server in SPF record

Related Topic