4

I just want to clarify the +a part of an SPF record since I have an idea how this works but I am unsure.

spf record for example.com

v=spf1 +a -all

My current understanding is that if there is a valid a record for the server it will be accepted.

For example:

A: example.com 123.456.789.12

the IP address above would be a valid sender for example.com because of +a.

However I am unsure about sub-domains and how this works.

A: server-1.example.com 123.456.789.13
A: server-2.example.com 123.456.789.14

Would these IP addresses also be allowed to send as example.com because of the +a part of the SPF record?

Thank you

dgibbs
  • 661
  • 2
  • 11
  • 22
  • It looks like v=spf1 a -all is the same as v=spf1 a:example.com -all. So because of this I would need to add seporate records for server-1.example.com and server-2.example.com? – dgibbs Apr 22 '13 at 16:24
  • 1
    please don't use `123.456.789.012` when making up A-records, it is not a possible IP address(456 and 789 > 255) and makes it hard to answer your question with a good example – Gryphius Apr 22 '13 at 16:34
  • 2
    Is server-1.example.com truly a subdomain name and not just an A record (host) on example.com? – TheCleaner Apr 22 '13 at 16:52
  • It is just an a record for example.com pointing at a different IP address – dgibbs Apr 22 '13 at 22:13

2 Answers2

7

To give a valid example of how to use the a-mechanism with an FQDN other than the current SPF record, here is a few options:

a mechanism with a domain name as argument (and how it expands): 

v=spf1 a:server-1.example.com a:server-2.example.com -all
v=spf1 123.456.789.13         123.456.789.14         -all

a mechanism with a CIDR prefix as argument (and how it expands):

v=spf1 a/24              -all
v=spf1 123.456.789.12/24 -all

You can either use a specific FQDN to lookup (server-1.example.com) and then trust the registered IP address(es) for that host, or you can perform a lookup on the current FQDN - that is, the domain name for which we are currently performing the SPF check for. You can then add a prefix to specify an entire network segment around the resulting IP address(es).

Both of the above examples will work for you domain, given the details in your question, but I would recommend the first option.

One more thing:

a is the same as +a

The + qualifier is the default qualifier, no need for that.

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • Great post. The + sign confused me between different guides. Also, can "a" be alone to symbolize the current website while using a:someadditionalsite.com like in "v=spf1 +mx +a +a:someadditionalsite.com -all" ? – SILENT Jan 12 '17 at 14:53
  • 2
    @SILENT absolutely - again, `+` is implied and unnecessary, `v=spf1 mx a a:someadditionalsite.com -all` will suffice – Mathias R. Jessen Jan 12 '17 at 15:25
5

a would only include the a record(s) of example.com, unless you explicitely specify a hostname eg.a:server-1.example.com. if your servers all have ips in the same subnet you could for example specify a/24 which would include example.com's A record and all ips in the same /24

see http://www.openspf.org/SPF_Record_Syntax#a

Gryphius
  • 2,720
  • 1
  • 19
  • 19
  • Thanks for the answer. Do you have any examples of records that a might cover other than just example.com. As far as I can tell a only covers the a record for example.com. – dgibbs Apr 22 '13 at 22:22