Using SPF for spoof protection

Question

I'm trying to work through properly configuring SPF for my domain. We have two MX servers that only receive mail, and two outbound relay servers which we expect to list in our SPF record.

We also have a mail server in a subdomain called mail.sub.example.com. It only sends mail for this subdomain. The two MX servers are also responsible for incoming mail for this domain.

The problem I'm having is users often forward their mail off this subdomain server and on to Gmail and other providers, where they use the features of these remote providers to send mail as user@sub.example.com.

Would it then be advisable to add Google's SPF record as an include?

I'm concerned that doing this will open up all of Google to be able to spoof my domain. If it's not listed, we lose the benefit of maintaining the security SPF provides throughout the entire email chain.

I'd also like to benefit from the SPF protection when receiving an email to one of the MX servers from my own domain, and using it to protect my own users from receiving a forged email from a user in our domain.

score 2 · Accepted Answer · edited Sep 26 '15 at 05:57

2

Sub and example should have separate SPF records, include the servers that you send email FROM:

I would suggest using the ip4: mechanism, not the A, MX, or PTR, save those DNS lookups for include: if you add 3rd party ESPs later on.

-all to reject

Also look into DMARC as it will have a higher success rate of spoof protection with large mailbox providers.

Gmail will send email from gmail but on behalf of user@example.com, so it will use the SPF for gmail and not example.com

edited Sep 26 '15 at 05:57

masegaloeh

17,978
9
56
104

answered Sep 26 '15 at 05:43

Jacob Evans

7,636
3
25
55

1

+1 for `-all` - sound advice! – MadHatter Sep 26 '15 at 06:03
Thanks, although I'll admit for domains I am not solely responsible for managing mail flow I'll do ~all – Jacob Evans Sep 26 '15 at 13:29

Using SPF for spoof protection

1 Answers1