It would be easy to say that just add the both addresses to the record:
"v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"
...but there is a bit more to this.
- You are probably not sending mail with
mail.example.com
as the envelope sender, but example.com
, which marks where this policy allowing both should be.
- HELO hostnames can and should be protected with SPF, too.
- You should publish an SPF record for every A record. Otherwise your subdomains could be used as an envelope sender.
These are explained in more detail in this answer.
So, if you have, e.g.,
example.com. IN A 203.0.113.222
www.example.com. IN A 203.0.113.222
mail.example.com. IN A 198.51.100.111
example.com. IN MX mail.example.com.
Your SPF records could look like this:
example.com. IN TXT "v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"
www.example.com. IN TXT "v=spf1 +a ~all"
mail.example.com. IN TXT "v=spf1 +a ~all"
Although the ip4
mechanism reduces DNS queries, you don't need to use it:
example.com. IN TXT "v=spf1 +mx +a ~all"
Here, the mx
expands to ip4:198.51.100.111
& a
to ip4:203.0.113.222
.
You could replace the ~all
(soft fail) with -all
(hard fail). However, e.g., Freddie Leeman's The Ultimate SPF / DKIM / DMARC Best Practices 2023 suggests using soft fails for a good reason:
The use of ~all
(softfail) instead of -all
(fail) is best practice, as the latter can cause receiving servers to block the message at SMTP transmission instead of evaluating possible DKIM signatures and DMARC policies.