What would be the correct SPF record to use for both Amazon SES and Google Apps together:
Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723 , but most other examples have a dash "-" instead.
Amazon wants: "v=spf1 include:amazonses.com -all"
Google wants: "v=spf1 include:_spf.google.com ~all"
We currently have this, combining both together:
TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"
SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"
1) Is this the correct SPF record?
2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.
We only send email from Google Apps and Amazon SES, nothing else.
Publish a TXT record:
"v=spf1 include:_spf.google.com include:amazonses.com ~all"
Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com
to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete , some receivers could implement it.
If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:
"v=spf1 include:amazonses.com ~all"
It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by
field in Gmail.
You can use -all instead of ~all . In this case, emails sent from sources not covered in SPF record may be rejected by recipients.
According to Section 3.1 of RFC 7208:
SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.
Thus, SPF record type is now obsolete.
Regarding your comment, here is one simple way to test whether SPF works:
check-auth@verifier.port25.com
from both Gmail and Amazon SES Test Email form. SPF check: pass
. The correct is to include each sender in the SPF, regarding the - or ~ it is the SPF properties
"-" = only the listed hosts are permitted
"~" = the listed hosts should send but might exist another sender.
If you are 100% sure that you have all the listed senders you can change the ~ for - BUT you should not maintain both.
TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"
www.openspf.org/SPF_Record_Syntax
After many months trying to create correct SPF record and prevent my emails from Amazon classified as SPAM I've found that SPF syntax validator is exist. Using a Validator and SPF Policy Tester I was able to create SPF record that suites my requirements.
Gmail:
v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.google.com +mx ?all
Yandex:
v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.yandex.net +mx ?all
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.