Proper SPF Records

So have a number of domains that I host, etc, with all mail either being handled by Google Apps or by a simple forwarder through the Registrar, etc.

Just finished checking them out to make sure the SPF was done correctly (all DNS is here at Linode), and I am getting responses that the domain don't have any SPF records defined, even though they do (and have for months). Checked the domains here:

http://www.kitterman.com/spf/validate.html

So, here is what I have for hypothetical domain.com that uses secureserver.net (GoDaddy) for forwarding (it's an MX record for the domain):

Under the TXT section of the Linode Domain manager

Name: TXT

Value: "v=spf1 a mx include:gmail.com ~all"

So, something obvious wrong? Should the TXT record have a name of SPF? Should there be no quotes on the Value? I have noticed that when I try to edit the field in the DNS Manager, if it has quotes, the field is empty when I click edit, vs. populated if I leave the quotes off…

Thanks!

Paul

14 Replies

If you want us to help, then it really really helps to provide the domain name you're testing with.

@sweh:

If you want us to help, then it really really helps to provide the domain name you're testing with.

Ok, didn't know the protocol for posting real vs example domain names.

One of the domains I'm having a problem with is playsnappa.com. Mail is handled by the following MX records in terms of receiving email:

smtp.secureserver.net

mailstore1.secureserver.net

And I have it added to a regular gmail account so that I can send mail on behalf of that domain. The SPF record is:

TXT "v=spf1 a mx include:gmail.com ~all"

There are no TXT records for playsnappa.com according to ns1.linode.com

% nslookup -type=any playsnappa.com ns1.linode.com.
Server:         ns1.linode.com.
Address:        69.93.127.10#53

Name:   playsnappa.com
Address: 65.19.178.134
playsnappa.com
        origin = ns1.linode.com
        mail addr = webmaster.playsnappa.com
        serial = 2009101980
        refresh = 7200
        retry = 7200
        expire = 1209600
        minimum = 86400
playsnappa.com  nameserver = ns3.linode.com.
playsnappa.com  nameserver = ns2.linode.com.
playsnappa.com  nameserver = ns4.linode.com.
playsnappa.com  nameserver = ns1.linode.com.
playsnappa.com  mail exchanger = 10 mailstore1.secureserver.net.
playsnappa.com  mail exchanger = 0 smtp.secureserver.net.

Ah, I think I know what you've done' wrong.

You created a record for txt.playsnappa.com. That's wrong; you need to create the record for playsnappa.com directly.

Wow, silly mistake on my part. Changed it, should check out now, thanks.

I suppose I should open a ticket with Linode re: the editing issue of TXT records that have double quotes in them? Likely a form error with stripping slashes, etc. [edit] just viewed source, it is indeed that the quotes aren't being escaped properly.

Thanks again, will post back here once the record updates have propagated and I can verify the changes.

Paul

Looking slightly better, but you've got \" \" around the entry:

playsnappa.com  text = "\"v=spf1 a mx include:gmail.com ~all\""

Don't put any " in your record and see if that's better.

@sweh:

Don't put any " in your record and see if that's better.

Strange, thought the quotes were required for TXT records… maybe Linode is putting the quotes in automatically?

Will remove and try again.

@pmmenneg:

Strange, thought the quotes were required for TXT records… maybe Linode is putting the quotes in automatically
Quotes are needed, but since I don't use Linode domain manager (I run my own DNS) I've no idea what it does.

Now that should pass..

playsnappa.com  text = "v=spf1 a mx include:gmail.com ~all"

I am curious why you use include:gmail.com in your spf record. Are you using google apps for this domain? See the following:

http://www.google.com/support/a/bin/ans … swer=33786">http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786

Something like this for your domain would seem to make more sense to me. The a would cover email sent by a mail server at that domain's ip address ("a") and the include would cover the google apps ip addresses.

yourdomain.com. IN TXT "v=spf1 a include:_spf.google.com ~all"

I think google recommends the ~ softfail because emails may be sent from other ip addresses by users that haven't thought through all the possibilities in their configuration. But if you know you have all the possible IP addresses, I think the better option is -all which causes email from a mail server at a non-listed IP addresses to be hard failures.

I changed my spf records to -all a while back and it seems to work fine. I can see the google apps spam claiming to be from my google apps address are hard failures now. Anyone see a problem with this?

@awitko:

I am curious why you use include:gmail.com in your spf record. Are you using google apps for this domain? See the following:

I've configured a gmail account to be able to send email on behalf of a @playsnappa.com account, thought that was the way to properly cover that setup… what do you think?

Am going to likely use Google Apps for the account in the future, it's just not something I need for the time being, but I use Google Accounts for a number of other domains and have it configured like you mentioned via spf.

I see you mentioned that in your previous post. I should have read that more carefully. You may be right, I do not use send on behalf of.

Actually it seems like the preferred way of sending on behalf of now is to route through your domains outbound mail servers.

http://gmailblog.blogspot.com/2009/07/s … thout.html">http://gmailblog.blogspot.com/2009/07/send-mail-from-another-address-without.html

This would suggest to me that you would not want to use an include because it would never go out through gmail's servers.

@awitko:

Actually it seems like the preferred way of sending on behalf of now is to route through your domains outbound mail servers.

http://gmailblog.blogspot.com/2009/07/s … thout.html">http://gmailblog.blogspot.com/2009/07/send-mail-from-another-address-without.html

This would suggest to me that you would not want to use an include because it would never go out through gmail's servers.

Thanks for that info. The mail for the playsnappa.com domain is handled by the registrar through simple forwarding, so there is no playsnappa.com outgoing server (at this time) that I can point to. So gmail is acting as the outgoing server for the playsnappa.com domain email (again, for now).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct