34

I am using google apps, and google is handling my email.

I have created the SPF record mention in the help forum in google, but the SPF record did not pass, verified by using check-auth@verifier.port25.com and spf-test@openspf.org.

After searching a bit I found that the SPF mentioned in google

v=spf1 include:aspmx.googlemail.com ~all

is wrong and buggy, after consulting a hardcore programmer, we created an SPF record as

v=spf1 a mx include:_netblocks.google.com include:aspmx.googlemail.com include:_spf.google.com ~all

This passed the test using both the method mentioned above. However when I send an email to a###l@ind###########cer.org it shows delivery failed with the following message

Delivery to the following recipient failed permanently:

    a###l@ind##########cer.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 The sender did not meet Sender Policy Framework rules. Please see http://spf.pobox.com (state 18).

However if I send mail from Yahoo or Gmail it gets delivered successfully, can anyone help me out?

animuson
  • 53,861
  • 28
  • 137
  • 147
Subho Halder
  • 1,497
  • 4
  • 16
  • 30
  • Okay, i get it, my SPF is perfect, needed to have domainkeys checked – Subho Halder Jul 04 '09 at 15:52
  • 2
    I just wanted to add here that once your SPF *is* correct, you should change the `~all` to `-all`. This causes emails from other people impersonating you to be dropped and is the primary purpose of SPF. – Ladadadada Sep 17 '12 at 08:48
  • @Ladadadada Yet Google's support site says using `-all` can "cause problems". So it doesn't look like we can safely take full advantage of what SPF can offer (at least for the moment). – nextgentech May 02 '13 at 06:06
  • @nextgentech It's not safe to take your car out of the garage either, but there's no point in owning a car if you don't. The flag `~all` is a testing mode where your SPF record doesn't do anything. Google support site *might* be referring to legitimate emails being bounced if you forgot one of your IPs in the SPF record. – Ladadadada May 02 '13 at 07:08

3 Answers3

63

The following TXT record works for me:

v=spf1 include:_spf.google.com ~all
Alan Haggai Alavi
  • 72,802
  • 19
  • 102
  • 127
  • 5
    Yes. This is the correct setting. aspmx.googlemail.com has been replaced by _spf.google.com – Devon Aug 04 '10 at 13:03
  • 16
    Google's support site verifies this information : http://www.google.com/support/a/bin/answer.py?answer=178723 – maxsilver Jan 26 '11 at 04:14
  • 1
    Incredible that Google didn't notify customers about this? – toxaq Feb 03 '11 at 23:02
  • 13
    For the benefit of Googlers, here's a record that includes Google, plus MX and A records for your domain: `v=spf1 a mx include:_spf.google.com ~all` – David Carboni Jul 20 '12 at 10:17
  • 2
    Not sure you want the mx there because I don't think google uses the same servers to send as receive. Can anyone verify this? – JeremyWeir Apr 12 '13 at 00:59
  • do you know if a record like this is valid? `v=spf1 include:_spf.google.com ~all +a +mx +ip4:193.203.205.41 ?all` – conualfy May 20 '13 at 22:20
  • Update: Removed the `?all` from the end as I guessed it is a contradiction to `~all` and checked with `check-auth@verifier.port25.com and spf-test@openspf.org`. It seems to be ok. – conualfy May 20 '13 at 23:36
  • @JeremyWeir I don't think MX is needed because google does not recommend it: https://support.google.com/a/answer/178723?hl=en – Gaia Sep 09 '14 at 09:51
3
v=spf1 a mx include:aspmx.googlemail.com include:_spf.google.com ~all
Brad Koch
  • 19,267
  • 19
  • 110
  • 137
user265527
  • 31
  • 1
1

v=spf1 include:_spf.google.com ~all might be what Google tells you to put in it, but their Google Apps Toolbox MX checker fails it :(

Brad Koch
  • 19,267
  • 19
  • 110
  • 137
Craig
  • 1,704
  • 1
  • 18
  • 36