I've found this wonderful explanation of SPF on http://www.openspf.org/SPF_Record_Syntax and i had it working on my older setup.
Setup has changed and i find myself in the ropes again.
I have an external DNS service. A router on a dynamic IP connection. A server with a 10.0.1.3 internal ip. DNS records on this server, stating that server.example.com points to 10.0.1.3. I use the server dns to resolve its own and local network queries. I also have an app installed to send my external DNS service updates if the router ip changes.
What i've figured out so far is that in this particular case i might be able to successfully use an TXT record along the lines of
"v=spf1 a:server.example.com -all"
Would this work? Assuming the ip doesn't change exactly when the email is sent... What would be the best way to go about setting this up?
Thank you!
PS. I my understanding i might be able to use "v=spf1 mx -all" and have my server.example.com as an mx record, and in turn server.example.com dynamically updating to my ip when it changes. This way when some receiver get's an email from my ip... this checks the MX record to see if the ip is in that list, then it gets server.example.com as the response which in turn always resolves to my latest dynamic ip.
SPF depends on DNS.
The DNS system uses Time To Live to reduce request load on DNS servers. This means changes in DNS don't instantly propagate to the entire internet.
Therefore, it is not really possible to make your planned config completely failsafe as long as the public IP of your mail server can suddenly change.
Your first option should be to try and get a static IP. Some ISPs offer this as an addon service.
If this is not feasible, I would recommend you send mail through another mail server which does have a static IP. This would allow you to specify this server in your SPF record and have it be much more dependable.
You can set up you OS X server to relay all outgoing mail through a specified server. For this to always work, the relay server must be configured to recognize and trust your server even when your server changes IP address.I work for an ISP which provides this type of mail relay service, and I'm sure others do as well.
PS: It is not wise to rely on very low TTL in DNS. First off, many DNS admins configure their DNS resolvers to ignore low TTL. Second, however low you set TTL, there will always be a window of failure for any service which depends on correct DNS data. You best bet is to set up your services such that DNS changes occur very rarely.
Use the a or mx entries as you describe and it will work if you update the DNS directly. The reverse lookup issue is most easily addressed by adding additional 'a' entry that corresponds to your current IP.
For example, my edge ip is 172.16.1.1 - host37.ispname.somecom. Rather than using 'myname.mycom' I put a CNAME in on my domain that points to the ISP FQDN. That way forward and reverse ultimately will check out. I don't believe there is any restriction for the SPF to point to a CNAME (which then points to the ISP FQDN). Or, more easily, just update the SPF rather than the 'a' to correspond to the real FQDN.
I wouldn't recommend this if it is your residence though. You are potentially exposing location information by pushing your current IP up into DNS for anyone that has your email address.
To be honest I wouldn't get caught up on SPF-records, they are used very inconsistently. In my experience, a lot of receiving mailservers do not use the SPF check, and if they do they mostly add a point towards your spam-score.
However, if you do want to continue using SPF-records in combination with your dynamic IP-address, make sure your TTL on that DNS-record is as low as possible. And also make your SPF record end with ~all in stead of -all (~all is the most commonly used mechanism in my experience)
Note
If -all is specified, and your IP does not match, the server is supposed to reject the message.
If ~all is specified, and your IP does not match, the server is supposed to accept the message but flag it.
(Source: http://www.openspf.org/SPF_Record_Syntax)