0

How do I craft a SPF record for mail.example.com when mail for the domain is sent from two locations:

  1. The mail server located at public IP address 198.51.100.111 aka mail.example.com.

  2. The web server which is located at public IP address 203.0.113.222.

Improve this question
2
  • Thanks Nikita I will forgo that idea. Please see edit for followup question.
    – I Own I Owe Oh My
    Commented Sep 6, 2023 at 23:00
  • If both addresses originate mail, add both. Though, better I think is to set up your web app to still send all mail through you mail server, with authentication. Mail server could do proper DKIM signing, it will be the only entity enabled in SPF; that way, you'll have a some safeguard against security breaches in your web applications.
    – Nikita Kipriyanov
    Commented Sep 7, 2023 at 3:21

1 Answer 1

Reset to default
1

It would be easy to say that just add the both addresses to the record:

"v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"

...but there is a bit more to this.

  • You are probably not sending mail with mail.example.com as the envelope sender, but example.com, which marks where this policy allowing both should be.
  • HELO hostnames can and should be protected with SPF, too.
  • You should publish an SPF record for every A record. Otherwise your subdomains could be used as an envelope sender.

These are explained in more detail in this answer.

So, if you have, e.g.,

example.com.       IN  A    203.0.113.222
www.example.com.   IN  A    203.0.113.222
mail.example.com.  IN  A    198.51.100.111
example.com.       IN  MX   mail.example.com.

Your SPF records could look like this:

example.com.       IN  TXT  "v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"
www.example.com.   IN  TXT  "v=spf1 +a ~all"
mail.example.com.  IN  TXT  "v=spf1 +a ~all"

Although the ip4 mechanism reduces DNS queries, you don't need to use it:

example.com.       IN  TXT  "v=spf1 +mx +a ~all"

Here, the mx expands to ip4:198.51.100.111 & a to ip4:203.0.113.222.

You could replace the ~all (soft fail) with -all (hard fail). However, e.g., Freddie Leeman's The Ultimate SPF / DKIM / DMARC Best Practices 2023 suggests using soft fails for a good reason:

The use of ~all (softfail) instead of -all (fail) is best practice, as the latter can cause receiving servers to block the message at SMTP transmission instead of evaluating possible DKIM signatures and DMARC policies.

Improve this answer
4
  • What's wrong with the intention of ultimately blocking mail when it comes from wrong source address, even without considering signatures? Something is already wrong, why bother checking anything else? E.g. "can cause receivers to block" — what's wrong with wanting exactly that, and why shouldn't I?
    – Nikita Kipriyanov
    Commented Sep 7, 2023 at 6:11
  • Also, your answer made me think, is it worth having www.example.com. IN TXT "v=spf1 -all" when everything is set up so there should be no legitimate mail with envelope senders like [email protected]?
    – Nikita Kipriyanov
    Commented Sep 7, 2023 at 6:15
  • The could look like this is intended to express an example, and having +a is just a safety mechanism if OP didn't configure their systems as in the question, as they are clearly not familiar with SPF, yet.
    – Esa Jokinen
    Commented Sep 7, 2023 at 7:58
  • Personally I still prefer -all as I have configured my mail systems so that SPF nor DKIM never fails, and forwarding is a problem of anyone forwarding, anyway (they should rewrite the envelope sender), but I also understand the reasoning in the article. -all is good for receiving systems that don't yet support DKIM & DMARC, but with a strict DMARC policy there's no really practical difference in using ~all.
    – Esa Jokinen
    Commented Sep 7, 2023 at 8:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .