7

We have recently moved our server stack to a new data farm, and some of our clients are experiencing issues with mail being sent from their GApps accounts. Before the server move we had no issues, but I suspect that maybe the IP change etc might have some part in this.

We found the issue was that some of the domains had incorrect SPF headers and didn't include the Google SPF records.

I have added TXT records to all the domains with the followingv=spf1 include:_spf.google.com ~all which has solved the issue with deliverability, but I don't understand SPF enough to know if all the TXT records on our DNS template are ok.

If a domain uses Google Apps for sending of mail, we disable the local mail routing for that domain to prevent any internal mails not going through, and all non GApps MX records are deleted.

Currently the following are setup on each domain:

domain.com.      TXT v=spf1 +a +mx -all
domain.com.      TXT v=spf1 include:_spf.google.com ~all
mail.domain.com. TXT v=spf1 ip4:xxx.xxx.xxx.xxx a mx a:mail.domain.com mx:domain.com ?all

So my question(s) are:

Are the above records fine (some SPF tests come back positive, others negative) as a global for all domains that get added to the server?

Can the two domain.com DNS records above be concatenated into one?

Is it OK to have the Google included SPF record for domains that are not sending via Google Apps?

Is it necessary to delete the other TXT record if they are using Google Apps. I don't imagine that it would be necessary to delete the mail.domain.com record as mail doesn't originate from there, but could that cause any issues if present.

We have 100+ domains running on the one server stack and updating them all is not going to be fun, but I would rather it be done correctly.

Thanks in advance.

Byron Rode
  • 173
  • 1
  • 5

2 Answers2

5

You should only have one SPF record on a hostname, so you much combine the two into one. SPF is basically a list of mechanism (which match something) and the action to take for that mechanism. You can have as many of these mechanisms in your SPF record as you want. For domain.com you want this:

domain.com. IN  TXT "v=spf1 include:_spf.google.com +a +mx -all"

Which means that the following are checked (with the first matching mechanism being the result).

  • Fetch the SPF record at _spf.google.com and evaluate it (include:). Google's SPF record looks like this:

    _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

  • Accept if the SMTP client's IP is within an of those IPv4 subnets (ipv4:)

  • Accept if the SMTP client's IP is an A record for the domain (+a)

  • Accept if the SMTP client's IP is an MX record for the domain (+mx)
  • Reject everything (-all)

Your SPF record for mail.domain.com can probably be simplified to this:

mail.domain.com.    IN  TXT "v=spf1 ip4:xxx.xxx.xxx.xxx a mx:domain.com ?all"

Assuming that mail.domain.com doesn't itself have an MX record. If it does have an MX record add the mx term back in (before the all).

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • Thanks for the explanation and answer - makes more sense now. For local mail, MX records are set for mail.domain.com - they point to the IP address of the server (standard setup in Plesk). Would that make any difference to your TXT record? I'll accept the answer if that is correct. – Byron Rode Aug 13 '12 at 09:51
  • @ByronRode I'm not sure why there is an MX record, but in that case just add `mx` to the record. – mgorven Aug 13 '12 at 17:41
  • There is an MX record for local mail (some clients opt not to use GApps and rather send from our server (Postfix). – Byron Rode Aug 14 '12 at 08:51
2

Why do you have three different SPF records? Also, why do you have a separate record for mail.domain.com, do you accept any mail on that domain name? Basically, a single domain.com TXT v=spf1 include:_spf.google.com +a +mx ~all should be enough.

Alex
  • 7,789
  • 4
  • 36
  • 51
  • That was how it was originally setup, hence my asking if it could be concatenated and the reason for the one on mail.domain.com was for mail delivered from the server itself. I wasn't aware at the time that a global domain record would count. – Byron Rode Aug 08 '12 at 13:45
  • The record for `mail.domain.com` is because the HELO hostname declared by the SMTP client is also checked against SPF. – mgorven Aug 09 '12 at 06:23