I have this DNS record in my domains's zone file:
TXT cmaflooring.com v=spf1 a mx include:websitewelcome.com ~all Automatic
What does it mean?
It's an SPF record. The following website from OpenSPF[1] has a good explanation.
http://www.openspf.org/SPF_Record_Syntax
Related
I'm using Zoho mail with my domain name. I also use an SMTP service with my domain name to send newsletters.
In order for Zoho to work properly I am required to add an spf record to my domain DNS. The SMTP service also requires my to add spf record.
My question is can I add multiple spf record to a domain name? If not is it possible to somehow combine the two?
These are the recorde I need to use:
v=spf1 include:zoho.com ~all
v=spf1 mx a ip4:91.82.206.0/24 ip4:91.83.103.0/24 ~all
Any help is appreciated.
You can't have two, but you can combine them, like this:
v=spf1 ip4:91.82.206.0/24 ip4:91.83.103.0/24 mx a include:zoho.com ~all
It's best practice to put literal IPs first as they are the fastest for receivers to check.
No, you can't have multiple SPF records on a single domain. Otherwise, SPF will return PermError.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
You would need to add all the mechanisms in 1 SPF record, as mentioned by Synchro.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
As you all may know, only one SPF record should be set up in the DNS records. My question however is if this also applies to other subdomains.
For example, I send emails through AWS and the given SPF record is"v=spf1 include:amazonses.com ~all" # noreply. But I also use Protonmail with the same domain and the SPF record given there is "v=spf1 include:_spf.protonmail.ch mx ~all" # root.
Not only is the subdomain different, but the protonmail record has a 'mx' in it too.
How am I exactly supposed to put this in my DNS?
You can quite happily have separate SPF policies for subdomains - the SPF at example.com can be different from one at mail.example.com. The contents of those records can be independent too, and there is no reason why the MX for mail.example.com can't be the same as for domain.com - in fact it is assumed to be unless you specify otherwise.
That said, it's not clear that you're needing subdomains at all, but simply to combine SPFs covering different sources for the same domain, for example the 2 examples you give could be combined as:
v=spf1 mx include:_spf.protonmail.ch include:amazonses.com ~all
The local part of the address (to the left of the #, like root#example.com or noreply#example.com) does not figure in SPF checks, so it's irrelevant.
If that's not what you meant, please expand your question.
Having done a recent MX check I have noticed that our domain has multiple SPF records. I was just wondering if anyone knew the correct way to combine the follow?
v=spf1 +a +mx ~all
v=spf1 include:_spf.google.com ~all
I would assume it is just
v=spf1 +a +mx include:_spf.google.com ~all
Could anyone verify if this is in fact correct?
Thanks!
That's correct, yes. You can use a tool like this one to help you test the SPF record before you update your DNS settings to ensure it's syntactically correct: http://www.kitterman.com/spf/validate.html
Without IPv6 entry in my SPF record, I get softfails if the other server uses IPv6. However when I add a ip6 record (which is my accurate address, with a reverse DNS entry) I get a permerror. I cannot figure out what the issue is.
From email header:
Received-SPF: permerror (google.com: domain of sjacobs#watershedmg.org
uses a mechanism not recognized by this client. unknown mechanisms:
)) client-ip=2600:3c01::f03c:91ff:fe6e:85d7
My full SPF record:
v=spf1 mx ptr ip4:173.255.244.150 ip6:22600:3c01::f03c:91ff:fe6e:85d7
a:watershedmg.org include:_spf.google.com ~all
Can anyone shed light on this? Thank you.
22600:3c01::f03c:91ff:fe6e:85d7 is not a valid IPv6 address. Check the first section - it's got too many digits. It looks like you added an extra '2'
You also don't need the mx since you're using Google Apps for your email. So a better version of this record would be
v=spf1 ip4:173.255.244.150 ip6:2600:3c01::f03c:91ff:fe6e:85d7
include:_spf.google.com a:watershedmg.org ~all
and the a directive is only necessary if you've got a web server that is directly sending email using a local mail server. Otherwise you should remove it as well.
So I have the following SPF record for the domain hojio.com:
The TXT records found for your domain are:
v=spf1 ip4:194.150.114.22 ip4:194.150.114.0/24
include:support.zendesk.com include:smtp.zendesk.com ~all
The domain is on the ip 194.150.114.22 and a reverse dns lookup on that ip gives hojio.com
Gmail says:
neutral (google.com: 194.150.114.22 is neither permitted nor denied by
best guess record for domain of www-data#ksenikovweb01.dandomain.net)
client-ip=194.150.114.22;
As if its not finding any SPF record? This is strange, since I can use various online SPF record checker tools, that all give me the correct one. What am I doing wrong?
Are you sure that hojio.com is being used in the Return-Path? SPF works off the Return-Path, not the From address. So it doesn't matter if the From address is from a user at hojio.com, unless the Return-Path is the same.
From the Gmail message it looks like the Return-Path is www-data#ksenikovweb01.dandomain.net. The domain ksenikovweb01.dandomain.net does not have an SPF record, so that would explain the 'neutral' SPF rating.