Menu
What would be the correct SPF record to use for both Amazon SES and Google Apps together:
Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.
Amazon wants: "v=spf1 include:amazonses.com -all"
Google wants: "v=spf1 include:_spf.google.com ~all"
We currently have this, combining both together:
TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"
SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"
1) Is this the correct SPF record?
2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.
We only send email from Google Apps and Amazon SES, nothing else.
649
Validity recommends an -all as it is the most secure record. SPF records cannot be over 255 characters in length and cannot include more than ten include statements, also known as “lookups.” Here's an example of what your record might look like: v=spf1 ip4:1.2. 3.4 ip4:2.3.
PDFRSS. Sender Policy Framework (SPF) is an email validation standard that's designed to prevent email spoofing. Domain owners use SPF to tell email providers which servers are allowed to send email from their domains. SPF is defined in RFC 7208 .
The answer is no: a domain MUST NOT have multiple SPF records, otherwise SPF fails with PermError. An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
Don't use multiple SPF records! This is explicitly defined in RFC4408: A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record. The rule of thumb: multiple SPF records will fail the SPF authentication.
Publish a TXT record:
"v=spf1 include:_spf.google.com include:amazonses.com ~all"
Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.
If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:
"v=spf1 include:amazonses.com ~all"
It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.
You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.
According to Section 3.1 of RFC 7208:
SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.
Thus, SPF record type is now obsolete.
Regarding your comment, here is one simple way to test whether SPF works:
[email protected] from both Gmail and Amazon SES Test Email form.SPF check: pass.
65
The correct is to include each sender in the SPF, regarding the - or ~ it is the SPF properties
"-" = only the listed hosts are permitted
"~" = the listed hosts should send but might exist another sender.
If you are 100% sure that you have all the listed senders you can change the ~ for - BUT you should not maintain both.
TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"
http://www.open-spf.org/SPF_Record_Syntax/
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
