1

I am using Zoho Mail, AWS SES, GMAIL SMTP, Cloudflare email route and Yahoo SMTP. they all have there own SPF record. i saw on Google the only 1 SPF should be added in hostname and maximum 10 SPF hostname is supported in 1 SPF record.

I am trying to merge and which is the correct one?

v=spf1 include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com ~all

or

v=spf1 a mx include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com ~all

or

v=spf1 a mx include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com -all

Errors i am getting when i am testing with mail-tester.com.

Error 1 : Maximum DNS-interactive terms limit (10) exceeded

Error 2 : example.com: Sender is not authorized by default to use 'user@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)

Mehul Kumar
  • 169
  • 2
  • Which record are you using to generate the report? Also, the last two of the three are identical. – Paul Jan 09 '23 at 21:37
  • @Paul `mail-tester.com` for testing the mail and errors. and all 3 records are different. – Mehul Kumar Jan 10 '23 at 04:31
  • You probably don't need the `A` and `MX` mechanisms, unless you have a mail server that uses the same IP address for Sending and Receiving. Those mechanisms usually come from examples ESPs use. Wether to use `soft fail` (`~all`) or `fail` (`-all`) in the catch all is a personal choice. If you rely on DMARC, I'd suggest to use `~all`, to not junk forwarded emails failing SPF. – Reinto Jan 10 '23 at 10:56
  • As for the 10-lookup-limit, you could consider using subdomains for authenticating SPF. i.e. many services allow you to send from me@mydomain.com, while setting the bounce address (`Return-Path` header) to bounces@SUB.mydomain.com, on which the SPF check is done. – Reinto Jan 10 '23 at 11:02
  • The first record has two more DNS lookups than the other two. The DNS lookups for the last two are identical. Changing the mechanisms does nothing to change DNS lookups. – Paul Jan 10 '23 at 13:08
  • @Paul Well, the question is about merging as well as about limits (errors). I imagine service A includes in their example `v=spf1 A MX include:_spf.serviceA.com -all`, while Service B includes in their example `v=spf1 MX include:_spf.ServiceB.com ~all` and Service C includes in their example `v=spf1 include:_spf.serviceC.com ~all`. – Reinto Jan 18 '23 at 15:20

0 Answers0