SPF record confusion in Linode DNS manager
Hi,
For a recent Linode that I am using as a cPanel server, I opted to use the Linode DNS manager. For adding SPF as text records, should I put the value within quotes? The system seems to accept it both within and without quotes:
"v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx ~all"
or
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx ~all
There's a related point which doesn't have anything to do with Linode DNS Manager but on which it would be useful to get advice from the members here - Gmail (free and GSuite) marks the SPF record as Neutral:
Authentication-Results: mx.google.com; spf=neutral (google.com: xxx.xxx.xxx.xxx is neither permitted nor denied by best guess record for domain of username@hostname) smtp.mailfrom=username@hostname;
Should I add an SPF record for the FQDN of the cPanel server and then include that FQDN in the SPF record for each of the domains hosted on the server to avoid this?
Thanks in advance.
2 Replies
Hey there,
The correct syntax for your SPF record is as follows:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx ~all
With that you'll see the TXT record after it updates will resolve properly and quotes will be auto-added (they double quote if you add them in yourself). You can check it with the following:
$ dig xxx.xxx.xxx.xxx TXT
You don't need to add an SPF record for the FQDN as you are using the IP that the domain will resolve to. It does, however, look like you might be missing this include to get your spf=pass in Gmail:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx include:_spf.google.com ~all
Google offers a really helpful Gsuite Administrator guide with step-by-step instructions on getting your SPF to pass here:
https://support.google.com/a/answer/33786?hl=en
Best of luck!
Sincerely,
Tara T
Linode Support Team
Thanks very much for your response. You are right - all the domains for which I had added quotes for the SPF record in Linode DNS maanger are all showing up wrong in dig.
It would be really helpful if the Linode DNS manager documentation could add a line of explanation calling this out. Most DNS managers (I use cPanel and Route 53 regularly)ask for the quotes to be included, so I missed this, even though I read the documentation page.
I was also probably blindsided by the fact that the Linode DNS manager accepts the value with and without quotes - instead, Linode should prompt a warning or error when a use enters the SPF value with quotes in the DNS manager.
As for the include for google.com, isn't that for when a web script is located on a different server, but emails for that domain are sent through Google? In my case, the Linode server also hosts the email service for the domains, but this warning shows up when I sent to someone with a gmail.com account or a GGsuite account.