SPF record to validate e-mail from Google Apps

I had to set up an SPF TXT record to try to validate my e-mails sent by a Google Apps account and I would check with you if the answer would be the same:

root@manager:~# dig @ns1.linode.com TXT mydomain.com

; <<>> DiG 9.7.3 <<>> @ns1.linode.com TXT mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6617
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 10
;; WARNING: recursion requested but not available

;mydomain.com.            IN  TXT

mydomain.com.        86400   IN  TXT "v=spf1 a mx ~all"

mydomain.com.        86400   IN  NS  ns1.linode.com.
mydomain.com.        86400   IN  NS  ns3.linode.com.
mydomain.com.        86400   IN  NS  ns5.linode.com.
mydomain.com.        86400   IN  NS  ns2.linode.com.
mydomain.com.        86400   IN  NS  ns4.linode.com.

ns1.linode.com.        86400   IN  A
ns1.linode.com.        86400   IN  AAAA    2600:3c00::a
ns2.linode.com.        86400   IN  A
ns2.linode.com.        86400   IN  AAAA    2600:3c01::a
ns3.linode.com.        86400   IN  A
ns3.linode.com.        86400   IN  AAAA    2600:3c02::a
ns4.linode.com.        86400   IN  A
ns4.linode.com.        86400   IN  AAAA    2600:3c03::a
ns5.linode.com.        86400   IN  A
ns5.linode.com.        86400   IN  AAAA    2a01:7e00::a

;; Query time: 23 msec
;; SERVER: 2600:3c00::a#53(2600:3c00::a)
;; WHEN: Fri Jun 15 15:35:44 2012
;; MSG SIZE  rcvd: 381


I'm still learning how to configure DNS, as I understand some TXT records.

Thank you in advance.

5 Replies

http://support.google.com/a/bin/answer. … wer=178723">http://support.google.com/a/bin/answer.py?hl=en&answer=178723

They recommend the following if you ONLY send from google apps:````
v=spf1 include:_spf.google.com ~all

If you send mail from both google apps and your server, then you'd want to combine that with what you already have:````
v=spf1 a mx include:_spf.google.com ~all

Note that using ~all basically is saying you have listed IP's that send your email but their may be email from others. If you are going through the trouble of setting up SPF… not sure why you would use that.

-all is strict saying that ONLY what you have specified is allowed to send email for your domain.

For verification, send email using your domain to: check-auth2@verifier.port25.com and get back a report which shows if you authenticate for SFP, DKIM and others.

This is useful when you start using mail servers that have IPv6 enabled as well. Gets a bit trickier


Note that using ~all basically is saying you have listed IP's that send your email but their may be email from others. If you are going through the trouble of setting up SPF… not sure why you would use that.
With "-all", one mistake from either you or whoever's spf you included can result in your mail being lost. The main benefit to the use of "-all" is that other people may see less spam. For most people the risk is not worth the benefit and "~all" is more appropriate.

For sure when you are handing out advice to people who may or may not understand the in's and out's of SPF it is much safer to suggest "~all". If you want "-all" you are probably not going to need to ask anyone for help.

Disclaimer: I use "-all" on all my domains ;)

I guess it depends on why you are setting up an SPF record.

If you are setting it up just so servers will accept your email, then the use of ~all won't matter much.

But if you are like me and less concerned with spam and more concerned with others using your mail domain(s) for unauthorized messages, making sure you have your SPF record correct and using the strict setting is the only thing that makes sense.

That and hoping other mail servers will use and honor your SPF strict settings helps prevent your mail domain(s) from being used from mail sources you didn't specify.

Setting ~all when testing makes total sense, just like setting t=y in your DKIM record to indicate you are in testing mode.

You have the best success with email delivery when you have taken the time to ensure that your mail server(s) not only are configured correctly but also that all components of the the email are properly setup. Proper MX records, proper HELO host names, forward and reverse DNS matching, masking internal hosts in headers etc.. :lol:

Well, now I'm using google apps, email and one's own domain email marketing system.

Both are falling to the senders of spam.

; acessofacil.in [293019]
$TTL 86400
@    IN  SOA ns1.linode.com. acessofacil\.linode.gmail.com. 2012070243 14400 14400 1209600 86400
@        NS  ns1.linode.com.
@        NS  ns2.linode.com.
@        NS  ns3.linode.com.
@        NS  ns4.linode.com.
@        NS  ns5.linode.com.
@        3600    MX  1   aspmx.l.google.com.
@            TXT "v=spf1 mx a include:_spf.criaenvio.com include:_spf.google.com ~all"
@            A
*            A
git            A
www            A
box            CNAME   ghs.google.com.
mkt            CNAME   cname.criaenvio.com.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct