I'm completely new to Stack Overflow, so Hi!
I need to add an SPF record to my site "main.com" (not the real address) to allow an email publishing company "emailpublishers.com" (not the real address) to send emails on my behalf. However, I'm nervous about adding an SPF record because of the havoc it could wreak if done incorrectly.
I use Google Apps. I also use "auxiliary.com" to send mail from "main.com." And, of course, I use "main.com" to send mail as well. "auxiliary.com" doesn't have an SPF record.
I used Microsofts' and OpenSPF's wizards to generate the following SPF entry. Does it seem to be correct for me?
"v=spf1 a mx ip4:55.55.555.55 mx:alt1.aspmx.l.google.com mx:alt2.aspmx.l.google.com mx:aspmx.l.google.com mx:aspmx2.googlemail.com mx:aspmx3.googlemail.com mx:aspmx4.googlemail.com mx:aspmx5.googlemail.com a:auxiliary.com include:_spf.google.com include:auxiliary.com mx:auxiliary.com include:emailpublishers.com mx:emailpublishers.com ~all"
However, my host MediaTemple says in a knowledge base article to use:
v=spf1 a:main.com/20 ~all
So that added to my confusion.
Thanks a lot!
First things first: SPF only specifies what servers will send outgoing emails from your domain. I came up with this record:
v=spf1 a mx ip4:1.1.1.1 include:_spf.google.com include:emailpublishers.com ~all
Definition: a and mx: allow your domain's @ A record and MX servers to send email. This covers your domain's @ A record and all of your MX records (may be a little redundant in this case but doesn't hurt).
ip4:1.1.1.1: the ip address should be auxiliary.com's outgoing email server ip addresses. you may have to add several of these but this allows auxiliary.com to send emails on your behalf
include:_spf.google.com: this allows google apps to send email for main.com (this is why the mx tag above may be redundant since main.com's mx records are google apps)
include:emailpublishers.com: you'll want to ask emailpublishers.com what SPF to use for this one but I imagine it's similar. If they have one, replace this one with theirs.
~all: softfail any emails from main.com that come from servers not listed in this record. This tells spam filters to use SPF as one of the criteria to flag an email as spam. using a -all is a hardfail, which means anything the SPF record doesn't catch is spam. This can lead to false positives though.
(edit) Once you're done, test it out by sending emails to a Gmail account. Gmail logs in the headers whether the email passed a SPF check. It's incredibly useful for testing.
(edit 2) The 'a' in the SPF record only allows your domain's @ A record to send mail, not all of your A records. E.g. example.org with the SPF record v=spf1 a ~all would allow example.org to send mail, but not beta.example.org or testing.example.org. Fixed it above.
Also, be careful if you forward mail from your mail system and have spf checks enabled on your mail server, because your SPF checks will catch your own forwards because it'll look like you are originating mail for some domain that's not yours and also happens to have SPF records.