2

Obviously my own mail servers should be marked as "allow" in an SPF record, but I'm not so sure about mail relays (e.g. my ISP). Since other people (not related at all with my server) also send email through the same relay, it seems to me the most appropriate choice would be listing the relays as "neutral" like: 

v=spf1 ip4:myserverip ?include:_spf.myisp.com -all

Is this common practice? Or is there some better option?

dkaeae
  • 407
  • 1
  • 5
  • 9
  • If you send emails from both locations as your domain, then yes you would need SPF for both. And that does mean others on your ISP could email as you. You must determine if that risk is acceptable to your org/business. It is not uncommon for businesses to add shared campaign providers in their SPF. ISP is a different set of folks you have to decide if you want to trust. – Aaron Mar 16 '16 at 17:54
  • And neutral is the best choice here? Or is allow also OK? If I use neutral, then DKIM seems to be a must, because any mail not delivered locally gets forwarded to the relay. – dkaeae Mar 17 '16 at 21:15

1 Answers1

4

The best practice is for an organization to add to SPF all email hosts authorized to send email on behalf of their domain.

Usually that includes your local servers and the hosts you trust to do relay work on your behalf. Failing to include those relays will impact mail delivery that happens through those hosts.

Deciding if those relays are trustworthy or not, and if the deliver risks are acceptable is up to you of course.

As an example, Google Apps customers are recommended to use include:_spf.google.com in their SPF records to authorize Gmail servers on their behalf.

Marco
  • 164
  • 7