I'm trying to set up an SPF record for my domain. I've read the RFC, been to Wikipedia, openspf.org, etc. but I'm still confused.
What is the difference between 'a' and 'mx'? When do I use 'mx: rather than 'a:' or 'include:'?
What's the point of '?all' (Neutral result) except for debugging? Why do so many people use '~all' (Softfail) instead of '-all' ?
I've been to the Wizard (http://old.openspf.org/wizard.html) but I don't understand the questions.
While the goal of SPF is so you can pseudo-authenticate email from your domain, the problem is that, if you configure your record too tightly, even legitimate mail will fail spf checks on receipt.
In short, a misconfigured SPF record is more dangerous than no SPF record.
The "safe first step" is to list the outbound SMTP servers you know of with + (positive), and everything else as ? (neutral). Email received from your positive-listed server will pass - and theoretically be weighted towards "not spam", and all other email addressed "from" your domain will shrug with an inconclusive result.
"Fail" is an indication that the message should be thrown away, but "softfail" is an indication that the email is questionable - so it might end up in the spam bucket on the receiver side, but still get there.
Since there are some methods for email to be sent legitimately from a server you don't control, e.g. mailing list servers, use of "fail" tends to be avoided. The mail must flow.
a: allows you to specify a domain allowed to send from your domain. For example, a:example.com tells the receiving mail server to dns lookup example.com. If the sending IP matches that returned from the list of IPs returned from the lookup of example.com it matches.
MX means the mail exchanger records of the domain are allowed to send mail from the domain.
I use -all on my SPF records. I suppose you could test your records with ~all (softfail) before going to -all (fail).
Not sure if this helps?
