Proper SPF Records
Just finished checking them out to make sure the SPF was done correctly (all DNS is here at Linode), and I am getting responses that the domain don't have any SPF records defined, even though they do (and have for months). Checked the domains here:
So, here is what I have for hypothetical domain.com that uses secureserver.net (GoDaddy) for forwarding (it's an MX record for the domain):
Under the TXT section of the Linode Domain manager
Name: TXT
Value: "v=spf1 a mx include:gmail.com ~all"
So, something obvious wrong? Should the TXT record have a name of SPF? Should there be no quotes on the Value? I have noticed that when I try to edit the field in the DNS Manager, if it has quotes, the field is empty when I click edit, vs. populated if I leave the quotes off…
Thanks!
Paul
14 Replies
@sweh:
If you want us to help, then it really really helps to provide the domain name you're testing with.
Ok, didn't know the protocol for posting real vs example domain names.
One of the domains I'm having a problem with is playsnappa.com. Mail is handled by the following MX records in terms of receiving email:
smtp.secureserver.net
mailstore1.secureserver.net
And I have it added to a regular gmail account so that I can send mail on behalf of that domain. The SPF record is:
TXT "v=spf1 a mx include:gmail.com ~all"
% nslookup -type=any playsnappa.com ns1.linode.com.
Server: ns1.linode.com.
Address: 69.93.127.10#53
Name: playsnappa.com
Address: 65.19.178.134
playsnappa.com
origin = ns1.linode.com
mail addr = webmaster.playsnappa.com
serial = 2009101980
refresh = 7200
retry = 7200
expire = 1209600
minimum = 86400
playsnappa.com nameserver = ns3.linode.com.
playsnappa.com nameserver = ns2.linode.com.
playsnappa.com nameserver = ns4.linode.com.
playsnappa.com nameserver = ns1.linode.com.
playsnappa.com mail exchanger = 10 mailstore1.secureserver.net.
playsnappa.com mail exchanger = 0 smtp.secureserver.net.
You created a record for txt.playsnappa.com. That's wrong; you need to create the record for playsnappa.com directly.
I suppose I should open a ticket with Linode re: the editing issue of TXT records that have double quotes in them? Likely a form error with stripping slashes, etc. [edit] just viewed source, it is indeed that the quotes aren't being escaped properly.
Thanks again, will post back here once the record updates have propagated and I can verify the changes.
Paul
playsnappa.com text = "\"v=spf1 a mx include:gmail.com ~all\""
Don't put any " in your record and see if that's better.
@sweh:
Don't put any " in your record and see if that's better.
Strange, thought the quotes were required for TXT records… maybe Linode is putting the quotes in automatically?
Will remove and try again.
@pmmenneg:
Strange, thought the quotes were required for TXT records… maybe Linode is putting the quotes in automatically
Quotes are needed, but since I don't use Linode domain manager (I run my own DNS) I've no idea what it does.
playsnappa.com text = "v=spf1 a mx include:gmail.com ~all"
Something like this for your domain would seem to make more sense to me. The a would cover email sent by a mail server at that domain's ip address ("a") and the include would cover the google apps ip addresses.
yourdomain.com. IN TXT "v=spf1 a include:_spf.google.com ~all"
I think google recommends the ~ softfail because emails may be sent from other ip addresses by users that haven't thought through all the possibilities in their configuration. But if you know you have all the possible IP addresses, I think the better option is -all which causes email from a mail server at a non-listed IP addresses to be hard failures.
I changed my spf records to -all a while back and it seems to work fine. I can see the google apps spam claiming to be from my google apps address are hard failures now. Anyone see a problem with this?
@awitko:
I am curious why you use include:gmail.com in your spf record. Are you using google apps for this domain? See the following:
I've configured a gmail account to be able to send email on behalf of a @playsnappa.com account, thought that was the way to properly cover that setup… what do you think?
Am going to likely use Google Apps for the account in the future, it's just not something I need for the time being, but I use Google Accounts for a number of other domains and have it configured like you mentioned via spf.
This would suggest to me that you would not want to use an include because it would never go out through gmail's servers.
@awitko:
Actually it seems like the preferred way of sending on behalf of now is to route through your domains outbound mail servers.
http://gmailblog.blogspot.com/2009/07/s … thout.html">http://gmailblog.blogspot.com/2009/07/send-mail-from-another-address-without.html This would suggest to me that you would not want to use an include because it would never go out through gmail's servers.
Thanks for that info. The mail for the playsnappa.com domain is handled by the registrar through simple forwarding, so there is no playsnappa.com outgoing server (at this time) that I can point to. So gmail is acting as the outgoing server for the playsnappa.com domain email (again, for now).