2

I'm using G SUITE to accept mail for my domain, so I've set my SPF record as recommended by Google to v=spf1 include:_spf.google.com ~all. Now I want to send emails from my webservers and I want to add them to my SPF record. Google suggests that I add the IP of my additional server to the SPF record like this:

v=spf1 ip4:1.2.3.4 include:_spf.google.com ~all

However, I have multiple web servers and I'd prefer any of them to be able to send emails. Is the following valid?

v=spf1 +a include:_spf.google.com ~all

ddinchev
  • 433
  • 1
  • 7
  • 18
  • Notice that the names pointed to by `a` and `mx` directives in your SPF records must be dual stack. Otherwise your SPF record may be considered invalid by some implementations and give you an `SPF Permanent Error: Void lookup limit of 2 exceeded` error. – kasperd Dec 22 '17 at 13:36

2 Answers2

4

The question is slightly unclear: you say you have multiple webservers, but you don't say that you have multiple servers serving your naked domain name's website (eg, http://example.com) and that all of them are returned when you look up the naked domain name. Provided the latter is true, yes, you can do what you propose: a on its own (or +a, for they are equivalent) translates to permit all the IP addresses that are returned when I resolve the naked domain name of the address in question.

As for mixing a and include, this is also fine. Again, as the canonical answer makes clear, if either the a or the include provides grounds for acceptance, the policy will recommend acceptance of the email; otherwise, processing will continue on the rest of your record, eventually ending up with your default policy.

May I add in passing that there is no point in doing SPF if you're going to leave the policy as ~all? It's covered in more length in our canonical answer, but the short version is that nobody cares which IP addresses are allowed to send mail from your domain. We only care which addresses are not allowed to send it, so we can drop email from those. Some local admins even consider a policy of ~all a sign of spam, and weight their mail filters accordingly.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thanks for the answer and the additional resources link! The `~all` part comes directly from Google documentation for G-Suite setup: https://support.google.com/a/answer/178723?hl=en `Publishing an SPF record that uses -all instead of ~all provides stricter security but may result in delivery problems.` – ddinchev Dec 26 '17 at 09:41
  • 1
    @ddinchev we address Google's advice in the canonical QA (linked above), which **you really should read**. – MadHatter Dec 26 '17 at 12:05
  • Includes work fine on their own and with IP addresses within SPF records, however, if you have multiple includes you can run up against the 10 DNS lookup rule as stated in RFC 7208, section 4.6.4: This is a fixable problem, look for SPF flattening tools of which there are a couple. – Neil Anuskiewicz Jan 19 '18 at 23:07
1

without -all nobody cares, if you use +a and your record is example.com, the result of dig +short A example.com and dig +short AAAA example.com will be used. In either case, this an extra dns lookup and not recommended for efficiency (especially with includes, 10 dns lookups max), unless your root domain is a cname, which it cannot be, it would benefit you to list all IP addresses for your A record in the SPF record, you're updating the same zone, not hard.

I say especially with includes as you have no control over what they do with that spf record, some less quality email hosts will exceed that dns lookup limit.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • Interesting - again, as I commented on the other answer - this comes from Google documentation. I believe the two of you are right but then I'm questioning why Google would suggest otherwise... – ddinchev Dec 26 '17 at 09:45
  • Theirs is "safer" for ignorant administrators. You asked here and got a custom answer for your domain, not a general answer for the mass where only a one way communication channel is given. (Website documentation vs QA forum) – Jacob Evans Dec 26 '17 at 11:20