SPF record (DNS)

Question

Please help to set up a SPF record. I have found several SPF record generators but all questions are too complicated and I am afraid to make something wrong.

I want to allow sending mail only from:

1) from all IP addresses that are listed as A records for this domain. 2) from other servers in my data center in the same IP range 2) from Gmail servers - my domain is set up to use Gmail (all MX records are Google's MX records). Google's instructions say to include include:_spf.google.com ~all in the SPF record. Do I need mx in this case?

Which is correct:

v=spf1 a ip4:111.222.333.0/24 include:_spf.google.com ~all

or

v=spf1 mx a ip4:111.222.333.0/24 include:_spf.google.com ~all

Thanks.

Answer 1

The first is correct for testing. The second is unnecessary because of the Google include.

When you're done testing (send an e-mail from all authorized servers to a test service) change the "~all" to "-all". The tilde indicates that you're testing.

Answer 2

To add some details to Chris S's perfectly correct answer,

v=spf1 a ip4:111.222.333.0/24 include:_spf.google.com -all is correct.
You do not need to include mx, because you already have include:_spf.google.com, which allows gmail;

Since you said you want to allow sending mail only from these servers, should put a -all instead of ~all to strictly enforce SPF rules. With a ~all, other servers still be able to send email using your domain.

Note: With a -all, users under your domain will not be able to send e-mails using alternative SMTP servers, such as yahoo, hotmail, etc.

Depends on configuration of your e-mail servers software, you may need also put your ip6 address in SPF. When both ip4 and ip6 is enabled on your side, some email server softwares(e.g. sendmail) will use ip6 to delivery to gmail addresses, and lack of ip6 SPF record will cause gmail servers to refuse e-mails from your server.