Way to open up SPF to all IPs just for a subdomain?

Question

I know this is a bit of a weird / silly question, but we have a sub-domain which acts as a way for our hotel owners to communicate with clients. messages.mydomain.com. What happens if they have a unique username (abcdef@messages.mydomain.com), which is then processed by our system and passed along to the correct person. Now, this all works fine - apart from the fact its causing peoples emails to come up with SPF fails:

What I have set is:

v=spf1 a mx ~all

Is there a way to make it "wide open" so it will validate with any IPs? On the main domain we lock it down just to our IP ranges, but we don't want this behaviour on the subdomain

Oh - and the sub-domain has its own DNS record (not just part of the record of the main domain)

Might as well just skip the SPF record entirely in this scenario. — ceejayoz, Apr 27 '20 at 15:04
@ceejayoz wouldn't that cause SPF to fail though? (as there is no record) — Andrew Newby, Apr 27 '20 at 15:16
A missing SPF generally is treated as neutral. If I ran an email provider, I'd ding a global `+all` record more in reputation than a missing one, personally. — ceejayoz, Apr 27 '20 at 15:54
@ceejayoz ah ok. Well I'll give it a run with +all, and see if that affects it. If it does, I'll try removing it and see how that goes then :) — Andrew Newby, Apr 27 '20 at 15:58
Do I interpret this correctly, that the system `messages.mydomain.com` is a forwarding service, and the system keeps the sender address as is? — Esa Jokinen, Apr 27 '20 at 16:02
@EsaJokinen Kind of - well what happens is that for non-paid members, we only let them reply via foo@messages.mydomain.com (a unique ID for them). For paid owners, we let them simply hit "reply" to the email (and this then goes back directly to the client). Thats why I was thinking we need to get rid of the SPF side of things and see how that goes :) (emails are currently getting through, but we only have a loose DMARC record currently) — Andrew Newby, Apr 27 '20 at 16:48

score 0 · Answer 1 · answered Apr 27 '20 at 14:50

0

Typically, I think I have managed to find my own answer:

v=spf1 +all

While this provides a SPF record, it will automatically validate any incoming emails (no matter what IP). This is all I need for this bit

answered Apr 27 '20 at 14:50

Andrew Newby

1,102
2
25
58

Way to open up SPF to all IPs just for a subdomain?

1 Answers1