2

Assume my ip address is 222.222.222.1 222.222.222.2 and my domain is mydomain.com

I wish to send regular emails on behalf of my customers domain from my servers. (relaying/spoofing)

hence my customers will need to enter my SPF include text into their txt record (v=spf1 ...). The same as I add salesforce.com and others to my txt record(v=spf1 ...):

e.g. "v=spf1 a mx ip4:222.222.222.1 ip4:222.222.222.2 include:_spf.salesforce.com -all"

What I don't understand is how I separate my SPF record (for sending my domains emails) with our email services SPF lookup (used by our customers)

This nearly answers it, except it does not say how to setup the Zone file record: How to create SPF record for many IPs (SPF longer than 255 characters)

Do I setup a txt record, an A record, a CNAME record, what type of record and how. I would assume this string goes in the data value area of my record???

e.g. "v=spf1 ip4:222.222.222.1 ip4:222.222.222.2 -all" and somehow it needs this subdomain "_spf.mydomain.com"

and then my customers txt record for SPF looks similar to this:

e.g. "v=spf1 a mx include:_spf.mydomain.com -all"

I am somewhat confident I am on the right track. I just do not know how it is implemented in my zone file.

TheArchitecta
  • 273
  • 2
  • 17

1 Answers1

2

When an email receiver chooses to validate a sender with SPF, it will look up TXT records for the sending domain (root or @ records), and look for exactly one that starts with v=spf1. That record can include anything it wants. Your customers will need a record of that form, and you will need one on your domain with your own sender setup.

The root spf record can include any record it likes. It is common practice for email services to have SPF records at other, non-root paths (_spf.mydomain.com for example) for inclusion in other records.

So in your zone file, you would have something like:

_spf IN TXT   "v=spf1 ip4:222.222.222.1 ip4:222.222.222.2 -all"
@    IN TXT   "v=spf1 include:myownmailsender.com -all"

Your customers add include:_spf.mydomain.com to their records, and you use the @ record to customize your own sending preferences.

captncraig
  • 22,118
  • 17
  • 108
  • 151
  • Thank You. Very Clear Answer! A couple of follow ups: Is it the email client or the email server validating the sender? And when they look up the txt records with the "include:_spf.mydomain.com" will they only find the top record due to the "_spf"? – TheArchitecta Aug 01 '17 at 14:25
  • sorry I don't have quite enough points to + vote you yet! OK I do now. :) – TheArchitecta Aug 01 '17 at 14:27
  • 1
    Sorry, client was ambiguous. Edited to reflect that the receiver validates spf. It is optional. – captncraig Aug 01 '17 at 14:27
  • 1
    The receiver will recursively follow includes. They will look up `TXT example.com.` for the third party domain, and then lookup the included `TXT _spf.yourdomain.com`. They will follow all fully qualified domain names included. They will not find your own `mydomain.com` record unless it is explicity included in another domain's. – captncraig Aug 01 '17 at 14:29
  • Yes of course. You gave me exactly the right answer, ultimately the last sentence sums it up well. But your snippet is layed out perfectly I can now update my Zone file – TheArchitecta Aug 01 '17 at 14:30
  • yes, it is actually the recursive issue that has brought me here. My customer has 14 lookups/10, and I believe my lookup is after the tenth. – TheArchitecta Aug 01 '17 at 14:34
  • But the lookup that is causing the problem is because they are using include:mail.tnz.co.nz which is causing 2 errors and 3 extra recursive lookups. but yet to confirm this with tnz. – TheArchitecta Aug 01 '17 at 14:43
  • 1
    Yes, spf resolution is tricky. If there are already 10 lookups before you, some resolvers will probably fail. They will need to remove, or "flatten" some of the includes. – captncraig Aug 01 '17 at 14:48
  • You just moved to 10k+ – TheArchitecta Aug 01 '17 at 14:56