0

I'm the domain administrator for, say, example.com. I have a few dozen users and we provide them with e-mails (first-name@example.com) that are aliases to their main e-mail.

Now there's quite a few servers on the internet that mark mails as spam if they don't use SPF, and I'd like my users not to be considered as spammers. How should I configure SPF on my domain given that they might send mail from many different mail servers (their ISP, gmail, hotmail, their own server, whatever) ?

The only solution I've found so far would be to set up an SMTP server and ask users to send it through it (which is probably what SPF expects me to do). Is there any simpler way ? Is it common among usual mail providers that allow using aliases to also allow a specific SMTP server when using an alias ?

Here, I'm not asking how to configure basic SPF parameters or what SPF is in general, but how to deal with SPF when it involves many users that may send e-mails using their own SMTP server.

Joachim Jablon
  • 131
  • 3

2 Answers2

1

The purpose of SPF is to authenticate sending sources (servers via IP/DNS), if you want to allow them to send from 3rd parties (which those mentioned do not do, they would send on behalf of which means gmail uses gmail's spf to send from first-name@example.com).

MAIL FROM: first-name@gmail.com

Sender: first-name@gmail.com

From: "First Name" < first-name@example.com>

Subject: I emailed you from example.com, via gmail.

The answer to what you are asking will not fix your spam issue, since you do not want to limit your sources you will need to use something like

@ IN TXT "v=spf1 a mx ip4:93.184.216.0/24 ip6:2606:2800:220:1::/64 ?all"

where ?all allows anyone to send, just doesn't positively or negatively apply spf to those sources.

If you want to send from 'their server, web server, alerting server, anything with TCP/25 outbound that directly communicates to 3rd party smtp servers, you would just authenticate those server, same as you would a newsletter system.

@ IN TXT "v=spf1 a mx ip4:93.184.216.0/24 ip6:2606:2800:220:1::/64 include:_spf.example.com ?all"
_spf IN TXT "v=spf1 ip4:184.168.221.8 -all"

Where 184.168.221.8 is their website, smtp server, vps, or premise mail system.

Sources:

Community
  • 1
Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • No, it's part of message authentication. – Jacob Evans Sep 19 '15 at 15:51
  • 1
    I suppose that's technically correct but I don't like the word authentication being used in relation to SPF records. Validation is a better word, IMO. I'm too used to using the term authentication in conjunction with authorization. At any rate, I've deleted my previous comment. – joeqwerty Sep 19 '15 at 16:00
  • Note that the results of the SPF check in an email's metadata are stored under "Authentication-Results". – Joachim Jablon Sep 19 '15 at 16:10
0

You can arrange for mail to pass SPF, but it doesn't really achieve much in the eyes of most of the large recieving mail services unless it's part of passing DMARC, and that only happens if the domain you are authenticating against is the one in the From header in your mail message (not the SMTP From address).

If your users send through third party servers, an the From header uses your domain, then they can only be DMARC compliant if either (A) the server is listed in SPF for your domain, or (B) the server DKIM signs the email using a key for your domain.

If your users send through gmail servers, then unless you pay gmail, the emails are probably going to get rewritten with addresses @gmail.com, so all the SPF and DKIM arrangements are independent of your domain.

If your mail doesn't pass DMARC, it's not going to count against those emails, or against your domain's reputation, it just doesn't count in their favour as DMARC compliance would do.

mc0e
  • 5,786
  • 17
  • 31