Part of my SPF record contains:
include:google.com
I'm still getting soft fail because the actual e-mail is delivered by the following
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]
Which has a completely different IP from google.com. However I don't want to put in mail-yx0-f172.google.com because it might be dynamic. Is there some equivalent of *.google.com that I can use in the record
No you can't. That is not the correct SPF record, and it is not the correct address of Google's SPF record. Anyone with the control of a reverse DNS domain can make any IP have any name he/she wants, like "google.com", "whitehouse.gov", etc. Allowing reverse matches at all would be very wrong.
The "include" feature of SPF works differently. It does a direct DNS resolution on the given name, and then processes the records that comes from that response. The correct SPF record for Google's e-mail servers is:
v=spf1 include:_spf.google.com ~all
The match is done by IP address from the results returned by a TXT DNS query to _spf.google.com. Should Google ever change the IP address of their mail servers, this record should be changed too. As of today, a query to that record returns:
~% dig +short txt _spf.google.com "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
Note that the address you are seeing, 209.85.213.172, is included above, in 209.85.128.0/17. So, if your SPF record is configured correctly, it should PASS.
More information on Google Apps Help.
