0

I previously didn't have any SPF set up on my domain. I use Google Workspace. I now use the SendGrid API.

This is what I set as the SPF record

v=spf1 include:_spf.google.com include:_mailcust.gandi.net include:sendgrid.net ~all

SendGrid verified.

However on an email that was sent using Gmail I received a bounce back (email addresses redacted for security)

550 5.7.23 : Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see http://spf.libraesva.com/Why?s=mfrom;[email protected];ip=209.85.218.45;[email protected]

And on that link it states...

...they need to change xxxx.com SPF record so that it authorizes mail-ej1-f45.google.com (209.85.218.45). They should add this to their SPF record:
a:mail-ej1-f45.google.com

But I am curious to know why I need to use a:mail-ej1-f45.google.com instead of or as well as include:_spf.google.com

I contacted Google support about this and they stated:

If you're using sendgrid and Gmail and please add the below SPF records "v=spf1 include:_spf.google.com include include:sendgrid.net ~all"

But this is what I had already set as the SPF record and they haven't been much help since contacting them.

Currently my SPF looks like the following below but I'd like to know:

  1. Why I have to add a:mail-ej1-f45.google.com to the SPF record

  2. Can I have both include:_spf.google.com and a:mail-ej1-f45.google.com in the record?

    "v=spf1 include:_spf.google.com include:_mailcust.gandi.net include:sendgrid.net a:mail-ej1-f45.google.com ~all"

9
  • 1
    Can you give us the actual domain in question? Your SPF record looks fine on paper, so I'm wondering if it's actually correctly in place. Ignore the generalized advice on that page; mail-ej1-f45.google.com is 209.85.218.45 which is included by _netblocks.google.com which is in turn included by _spf.google.com.
    – ceejayoz
    Commented Mar 19 at 19:46
  • @ceejayoz apracticeforeverydaylife.com and that's interesting... Google support didn't seem to have a clue Commented Mar 19 at 20:29
  • I doubt the issue is on Google's end. How soon after the new SPF record did you get the bounce from Libraesva? Is it possible they just had the old record cached?
    – ceejayoz
    Commented Mar 19 at 20:46
  • 1
    I would not assume that help page and the actual mailserver in question use the exact same systems and caches. If you visit spf.libraesva.com/… it does a lookup for xxxx.com, for example.
    – ceejayoz
    Commented Mar 19 at 21:01
  • 1
    Yes, that's redundant, because it's included in the IP ranges referenced by _spf.google.com already. Google sends email from many different IPs; that one just happened to be the one this particular email was sent from.
    – ceejayoz
    Commented Mar 19 at 21:06

1 Answer 1

2

This is not hard.

Find the address of mail-ej1-f45.google.com (its 209.85.218.45) Lookup the TXT record for _spf.google.com:

"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Look up each of the listed records. Actually you only to check the first to find:

"v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

mail-ej1-f45.google.com is in 209.85.128.0/17

So if you sent from a domain with SPF record containing "include:_spf.google.com" that failed for bad SPF then the issue is at the receiving end.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .