I am looking to setup a TXT spf record that has 2 included domains...individually:
v=spf1 include:hotmail.com ~all
and
v=spf1 include:servers.mcsv.net ?all
What is the proper way of combining them into a single item?
Asked
Active
Viewed 1.0k times
2
-
How do you want unhandled email to be treated? – jrtapsell Jun 13 '18 at 08:42
1 Answers
4
Background information
How include works
The RFC says this about include:
The "include" mechanism triggers a recursive evaluation of check_host().
- The <domain-spec> is expanded as per Section 7.
- check_host() is evaluated with the resulting string as the <domain>. The <ip> and <sender> arguments remain the same as in the current evaluation of check_host().
- The recursive evaluation returns match, not-match, or an error.
- If it returns match, then the appropriate result for the "include" mechanism is used (e.g., include or +include produces a "pass" result and -include produces "fail").
- If it returns not-match or an error, the parent check_host() resumes processing as per the table below, with the previous value of <domain> restored.
Mechanisms (the default mechanism is pass)
"+" pass
A "pass" result means the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity. This is further discussed in Appendix G.1.
"-" fail
A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. See Appendix G.2 for considerations on developing local policy.
"~" softfail
A "softfail" result ought to be treated as somewhere between "fail" and "neutral"/"none". The ADMD believes the host is not authorized but is not willing to make a strong policy statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.
"?" neutral
A "neutral" result indicates that although a policy for the identity was discovered, there is no definite assertion (positive or negative) about the client.
A "neutral" result MUST be treated exactly like the "none" result; the distinction exists only for informational purposes. Treating "neutral" more harshly than "none" would discourage ADMDs from testing the use of SPF records (see Section 10.1).
Provided SPF records explained
v=spf1 include:hotmail.com ~all
- If the email passes
hotmail.comthen pass it, otherwise treat it as suspicious.
v=spf1 include:servers.mcsv.net ?all
- If the email passes
servers.mcsv.netthen pass it, otherwise treat is as if there was no SPF record.
How to merge them
If you want unmatched emails to be treated as neutral, use:
v=spf1 include:hotmail.com include:servers.mcsv.net ?all
If you want it to be treated as being suspicious, then use:
v=spf1 include:hotmail.com include:servers.mcsv.net ~all
Explaining SPF records
I have made a site (https://www.checkspf.net/), which allows you to see an SPF record explained, with each individual part of the record explained. It is a work in progress site though, so there may be some issues, I am open to Pull Requests with fixes or issue reports.
-
1Great answer, helps a lot not only to include two domains, but understand how it works. – GrafOrlov Jul 17 '19 at 06:19