As you all may know, only one SPF record should be set up in the DNS records. My question however is if this also applies to other subdomains.
For example, I send emails through AWS and the given SPF record is"v=spf1 include:amazonses.com ~all" # noreply. But I also use Protonmail with the same domain and the SPF record given there is "v=spf1 include:_spf.protonmail.ch mx ~all" # root.
Not only is the subdomain different, but the protonmail record has a 'mx' in it too.
How am I exactly supposed to put this in my DNS?
You can quite happily have separate SPF policies for subdomains - the SPF at example.com can be different from one at mail.example.com. The contents of those records can be independent too, and there is no reason why the MX for mail.example.com can't be the same as for domain.com - in fact it is assumed to be unless you specify otherwise.
That said, it's not clear that you're needing subdomains at all, but simply to combine SPFs covering different sources for the same domain, for example the 2 examples you give could be combined as:
v=spf1 mx include:_spf.protonmail.ch include:amazonses.com ~all
The local part of the address (to the left of the #, like root#example.com or noreply#example.com) does not figure in SPF checks, so it's irrelevant.
If that's not what you meant, please expand your question.
Related
I'm inheriting a site that came with multiple SPF records in multiple TXT records (which all of my searching up until this point has informed me is about as invalid as you can get).
Here are the records I'm working with:
Record 1: v=spf1 include:servers.mcsv.net ?all
Record 2: v=spf1 include:zoho.com ~all
Record 1 appears to be a Mailchimp record. I'm not sure if the client is using Mailchimp or not. Record 2 is obviously from Zoho, but I know for sure the client is using Zoho. Ideally, I'd like to combine these two records into one.
Both records provide a slightly different all value. Record 1 gives me ?all, and Record 2 gives me ~all. If I understand the syntax correctly, ~all should be slightly more restrictive than ?all, and I can have only one all value, which must come last in the record.
If they had the exact same all value, I could just do something like this:
v=spf1 include:servers.mcsv.net include:zoho.com ?all
If I combine the records, I'm not sure which all value I should use or why. If I set one record to start with v=spf2, I'm not sure the service will verify the record. I've been searching and haven't found any resources that touch on combining multiple SPF records that have different all values. What should I do here?
Thanks
An appropriate combination of these two would be:
v=spf1 include:servers.mcsv.net include:zoho.com ~all
?all is essentially useless - it's pretty much equivalent to not having an SPF record at all.
That's not all though - this record looks incomplete. Unless you domain only sends from mailchimp and zoho, all other mail will get a softfail response, so if you send "normal" mail from this domain using its own mail server, you probably want to add at least mx, and if you send any mail directly from the domain's web site, you would want an a mechanism too, giving:
v=spf1 mx a include:servers.mcsv.net include:zoho.com ~all
DMARC is an important factor, as #lgc_ustc said. If you're not using DMARC, I would recommend setting -all as your default mechanism to get maximum benefit from SPF, but if you are using DMARC, leave it as ~all. This is because some SPF checkers encountering a -all will reject messages immediately, rather than letting them be passed on to the DMARC layer, where a sender can be told what to do with a rejected message.
If I set one record to start with v=spf2, I'm not sure the service will verify the record.
There can be only one SPF record on any domain. If more than one SPF record are set, SPF will return PermError. See: RFC 7208
Also, all SPF records must start with "v=spf1", everything else is invalid.
?all means neutral in SPF. SPF neutral can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages. If you use OpenDMARC by Trusted Domain, SPF neutral is interpreted in DMARC as fail by default.
~all means softfail in SPF. SPF softfail is a weak statement that the host is probably not authorized. The domain has not published a stronger, more definitive policy that results in a "fail". This is typically implemented by appending a ~all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a softfail result.
Like neutral, SPF softfail can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. In OpenDMARC, SPF softfail is interpreted in DMARC as fail by default.
Learn more in this post: Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained
I'm using Zoho mail with my domain name. I also use an SMTP service with my domain name to send newsletters.
In order for Zoho to work properly I am required to add an spf record to my domain DNS. The SMTP service also requires my to add spf record.
My question is can I add multiple spf record to a domain name? If not is it possible to somehow combine the two?
These are the recorde I need to use:
v=spf1 include:zoho.com ~all
v=spf1 mx a ip4:91.82.206.0/24 ip4:91.83.103.0/24 ~all
Any help is appreciated.
You can't have two, but you can combine them, like this:
v=spf1 ip4:91.82.206.0/24 ip4:91.83.103.0/24 mx a include:zoho.com ~all
It's best practice to put literal IPs first as they are the fastest for receivers to check.
No, you can't have multiple SPF records on a single domain. Otherwise, SPF will return PermError.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
You would need to add all the mechanisms in 1 SPF record, as mentioned by Synchro.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
So I have the following SPF record for the domain hojio.com:
The TXT records found for your domain are:
v=spf1 ip4:194.150.114.22 ip4:194.150.114.0/24
include:support.zendesk.com include:smtp.zendesk.com ~all
The domain is on the ip 194.150.114.22 and a reverse dns lookup on that ip gives hojio.com
Gmail says:
neutral (google.com: 194.150.114.22 is neither permitted nor denied by
best guess record for domain of www-data#ksenikovweb01.dandomain.net)
client-ip=194.150.114.22;
As if its not finding any SPF record? This is strange, since I can use various online SPF record checker tools, that all give me the correct one. What am I doing wrong?
Are you sure that hojio.com is being used in the Return-Path? SPF works off the Return-Path, not the From address. So it doesn't matter if the From address is from a user at hojio.com, unless the Return-Path is the same.
From the Gmail message it looks like the Return-Path is www-data#ksenikovweb01.dandomain.net. The domain ksenikovweb01.dandomain.net does not have an SPF record, so that would explain the 'neutral' SPF rating.
Right now, I'd like to use zoho mail for manual mailing from my domain and PHPMail from my server to handle automated messages.
Problem is, when my server sends out an email it hits spam filter. I get the following error:
deemstars#server.deemstars.com does not designate permitted sender hosts) smtp.mail=deemstars#server.deemstars.com
My txt record is the following (I Use Cloudflare):
v=spf1 mx ptr ip4:207.244.68.190 a:server.deemstars.com include:zoho.com ?all
207.244.68.190 being my server IP. I also added multiple domains to the txt record to make sure it gets whitelisted. I also included zoho.com, which zohomail sends an email out just fine with no spam filter, and it doesn't get the "not permitted sender" error.
So I think the problem is that your return path address has a domain of server.deemstars.com and your SPF record is defined only on the apex domain. SPF does not check parent domains.
So add the following record to server.deemstars.com
v=spf1 ip4:207.244.68.190 a:server.deemstars.com include:zoho.com mx ptr ?all
and see if that addresses the issue. I've also rearranged the SPF directives to move the cheaper to evaluate, more likely to match ones to the front.
I'm setting it as: v=spf1 a mx ip4:xx.xxx.xx.xxx a -mx -all
it's right?
Thanks.
How you should configure your SPF record depends on what servers you want to allow to send emails on your behalf. However, your example SPF record contains a contradition. You are specifying both mx and -mx, meaning you want to both pass and fail if the IP matches an IP address found in the domain's MX records. You should remove whichever mechanism does not apply.
Without knowing your exact needs it's hard to say exactly what SPF configuration you should use but if I had to take a shot in the dark I would say this is probably a safe bet:
v=spf1 mx a ip4:xx.xxx.xx.xxx ?all
This will pass an email originating form any IP that your domain has an a or mx record for as well as IP address xx.xxx.xx.xxx. It will apply a status of neutral to all others using the ?all mechanism. This allows spam filters more latitude to determine the validity of the email as opposed to a hard fail (-all).
Here are a couple of resource that I think will help you.
SPF Mehanisms Explained
SPF Wizard