0

How do I craft a SPF record for mail.example.com when mail for the domain is sent from two locations:

  1. The mail server located at public IP address 198.51.100.111 aka mail.example.com.

  2. The web server which is located at public IP address 203.0.113.222.

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
I Own I Owe Oh My
  • 1

1 Answers1

1

It would be easy to say that just add the both addresses to the record:

"v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"

...but there is a bit more to this.

  • You are probably not sending mail with mail.example.com as the envelope sender, but example.com, which marks where this policy allowing both should be.
  • HELO hostnames can and should be protected with SPF, too.
  • You should publish an SPF record for every A record. Otherwise your subdomains could be used as an envelope sender.

These are explained in more detail in this answer.

So, if you have, e.g.,

example.com.       IN  A    203.0.113.222
www.example.com.   IN  A    203.0.113.222
mail.example.com.  IN  A    198.51.100.111
example.com.       IN  MX   mail.example.com.

Your SPF records could look like this:

example.com.       IN  TXT  "v=spf1 +ip4:198.51.100.111 +ip4:203.0.113.222 ~all"
www.example.com.   IN  TXT  "v=spf1 +a ~all"
mail.example.com.  IN  TXT  "v=spf1 +a ~all"

Although the ip4 mechanism reduces DNS queries, you don't need to use it:

example.com.       IN  TXT  "v=spf1 +mx +a ~all"

Here, the mx expands to ip4:198.51.100.111 & a to ip4:203.0.113.222.

You could replace the ~all (soft fail) with -all (hard fail). However, e.g., Freddie Leeman's The Ultimate SPF / DKIM / DMARC Best Practices 2023 suggests using soft fails for a good reason:

The use of ~all (softfail) instead of -all (fail) is best practice, as the latter can cause receiving servers to block the message at SMTP transmission instead of evaluating possible DKIM signatures and DMARC policies.

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151