I previously didn't have any SPF set up on my domain. I use Google Workspace. I now use the SendGrid API.
This is what I set as the SPF record
v=spf1 include:_spf.google.com include:_mailcust.gandi.net include:sendgrid.net ~all
SendGrid verified.
However on an email that was sent using Gmail I received a bounce back (email addresses redacted for security)
550 5.7.23 : Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see http://spf.libraesva.com/Why?s=mfrom;[email protected];ip=209.85.218.45;[email protected]
And on that link it states...
...they need to change xxxx.com SPF record so that it authorizes mail-ej1-f45.google.com (209.85.218.45). They should add this to their SPF record:
a:mail-ej1-f45.google.com
But I am curious to know why I need to use a:mail-ej1-f45.google.com
instead of or as well as include:_spf.google.com
I contacted Google support about this and they stated:
If you're using sendgrid and Gmail and please add the below SPF records "v=spf1 include:_spf.google.com include include:sendgrid.net ~all"
But this is what I had already set as the SPF record and they haven't been much help since contacting them.
Currently my SPF looks like the following below but I'd like to know:
Why I have to add
a:mail-ej1-f45.google.com
to the SPF recordCan I have both
include:_spf.google.com
anda:mail-ej1-f45.google.com
in the record?"v=spf1 include:_spf.google.com include:_mailcust.gandi.net include:sendgrid.net a:mail-ej1-f45.google.com ~all"
mail-ej1-f45.google.com
is209.85.218.45
which is included by_netblocks.google.com
which is in turn included by_spf.google.com
.xxxx.com
, for example._spf.google.com
already. Google sends email from many different IPs; that one just happened to be the one this particular email was sent from.