SPF Records

I had an opportunity, or rather the necessity, to delve into SPF records and found some good resources, and learned a thing or two. I've become a big fan of using Google Accounts for email for our clients, especially because their spam filtering system seems to perform very well. We have a client that sends emails from HostMySite's email servers, from an exchange server on premises, and now from Google's mail servers. After several attempts with HostMySite's tech staff to get a properly constructed SPF record in place, I realized that they didn't have their act together in this regard. So it became my DIY project this weekend.

If you're not familiar with the SPF syntax, the place to go is http://openspf.org.

Google recommends anyone using Google Accounts for their email to use the following SPF record:

v=spf1 include:aspmx.googlemail.com ∼all

The include mechanism includes the SPF record of the domain specified if it exists. Don't be tempted to simply include any domain, such as google.com for instance. It needs to be specifically the domain containing an SPF record that allows the mail servers used by Google to send email for their customers. If google.com has an SPF record, it may be only for emails sent from @google.com email addresses, and including it in your SPF may cause it to always return failures!

Looking up the DNS record of aspmx.googlemail.com we find the following:

host: aspmx.googlemail.com type: TXT txt: v=spf1 redirect=_spf.google.com class: IN ttl: 7200

The redirect mechanism does the obvious, it redirects the lookup to the domain specified. So looking up _spf.google.com we find:

host: _spf.google.com type: TXT txt: v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ?all class: IN ttl: 300

The ip4 mechanism allows you to specify specific IP addresses or blocks of IP ranges using the CIDR syntax. How this SPF string is interpreted is it allows all of the IP addresses specified to send mail, and ?all means this record is neutral about any other IP addresses that might send mail for this domain. When an SPF record is published to be used as an include in other SPF records, using ?all apparently allows the parent SPF to allow more mail servers and to specify how to handle any server not specifically allowed, using either ∼all for a softfail when no match occurs (meaning look more carefully please) or -all for a hardfail (which means don't allow, period).

I learned a lot simply by looking at what Google does, and wound up recommending to HostMySite that they implement a similar approach. I hope they can implement my recommendation, which includes an internal policy to make sure their SPF record is updated whenever their outbound mail servers change, because simply being able to include:spf.safesecureweb.com in my SPF record will allow me to do it once and forget it. Otherwise I need to figure out a way to remain current with the IP's they allocate to be used for their mail servers, which would be a pain.

So the proposed SPF record I wound up with for this client, provided HostMySite follows my recommendation, is:

"v=spf1 ip4:212.147.58.12 a include:spf.safesecureweb.com include:aspmx.googlemail.com ∼all"

which will be interpreted as "allow the exchange server at 212.147.58.12 and include any allowed mail servers at spf.safesecureweb.com and aspmx.googlemail.com, and if another mail server tries to send email for this domain, softfail it and give it a closer look."

At openspf.org you'll find a link to a testing tool that allows you to test your SPF strings. It's very handy. Once your SPF string passes validation using this testing tool to simulate sending email from various IP's possible, THEN you can modify your DNS record to include an SPF record with more confidence that what you have come up with will work well.

Update: HostMySite has adopted the suggestion I put forward to them. Their SPF record is at spf.safesecureweb.com and contains their ranges of allocated IPs. They've told me they will keep it updated going forward. Spread the word!