23

What would be the correct SPF record to use for both Amazon SES and Google Apps together:

Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.

Amazon wants: "v=spf1 include:amazonses.com -all"

Google wants: "v=spf1 include:_spf.google.com ~all"

We currently have this, combining both together:

TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"

SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"

1) Is this the correct SPF record?

2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.

We only send email from Google Apps and Amazon SES, nothing else.

Random5000
  • 1,562
  • 3
  • 16
  • 26
  • No, I'm still not 100% sure. I'm not really sure how to make sure it's working. I'm pretty sure SES works, but google is not being verified correctly. Emails of course still get sent and received, but I can't tell if the SPF is really working. – Random5000 Oct 12 '13 at 18:21
  • I setup the SPF record and its working fine for me. Youre records are ok. – Flappy Oct 13 '13 at 13:43
  • 1
    http://willwarren.com/2014/04/21/setting-spf-records-google-apps-amazon-ses/ – Arto Bendiken Jan 19 '15 at 17:25
  • 1
    According to http://serverfault.com/questions/682467/route-53-should-i-duplicate-my-spf-records-as-txt-records/682495 you should list this as a TXT in your DNS not SPF. – Sean Bannister Apr 15 '15 at 15:05

3 Answers3

23

  1. Publish a TXT record:

    "v=spf1 include:_spf.google.com include:amazonses.com ~all"

    Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.

    If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:

    "v=spf1 include:amazonses.com ~all"

    It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.

    You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.

  2. According to Section 3.1 of RFC 7208:

    SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.

    Thus, SPF record type is now obsolete.

  3. Regarding your comment, here is one simple way to test whether SPF works:

    • Send emails to check-auth@verifier.port25.com from both Gmail and Amazon SES Test Email form.
    • Afterwards, search the automated reply for SPF check: pass.
Vitaly Kuznetsov
  • 1,515
  • 1
  • 16
  • 15
  • 3
    While I agree with you that amazon says that it's not required to touch the spf record, I have found that if I include amazonses.com in my spf record as shown here `"v=spf1 include:_spf.google.com include:amazonses.com ~all"` then the Sender-ID check of check-auth@verifier.port25.com goes from a softfail to a pass. I don't think it improves deliverability but it's probably cleaner to have a pass? – triadiktyo Jan 04 '16 at 15:34
  • 1
    @triadiktyo - I was wondering about the same thing. I definitely feels better to have a pass. – Olaf Jan 15 '16 at 16:34
  • 2
    @triadiktyo: that's a great catch. I have updated the post accordingly. Note to future readers: port25 no longer verifies Sender ID. – Vitaly Kuznetsov Jul 17 '17 at 13:20
  • Note that the separate TEXT record for custom SES mail-from will have a different subdomain for name, namely the subdomain that you tell SES when you set up the custom from. – user984003 Feb 08 '22 at 19:30
12

The correct is to include each sender in the SPF, regarding the - or ~ it is the SPF properties

"-" = only the listed hosts are permitted

"~" = the listed hosts should send but might exist another sender.

If you are 100% sure that you have all the listed senders you can change the ~ for - BUT you should not maintain both.

TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"

http://www.open-spf.org/SPF_Record_Syntax/

andreas
  • 1,483
  • 1
  • 15
  • 36
AleJacquet
  • 161
  • 1
  • 8
  • 2
    Doesnt Amazon SES specifically say you dont need to do anything for SPF? see http://docs.aws.amazon.com/ses/latest/DeveloperGuide/authenticate-domain.html – user1480192 Oct 18 '15 at 04:03
  • 1
    @user1480192 You don't *need* to, but it's best to. You do need to if you want emails you send to come from your own domain and not an AmazonSES one, or if you want your emails to pass DMARC tests. – Eborbob Jul 28 '17 at 14:10
-1

After many months trying to create correct SPF record and prevent my emails from Amazon classified as SPAM I've found that SPF syntax validator is exist. Using a Validator and SPF Policy Tester I was able to create SPF record that suites my requirements.

Gmail:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.google.com +mx ?all

Yandex:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.yandex.net +mx ?all
piet.t
  • 11,718
  • 21
  • 43
  • 52
sharkbp
  • 1