2

We have a CMS system in which multiple customers run their websites from a single virtual machine. Pages generated by the CMS allow forms to be filled in, which trigger emails to be sent. I am having trouble working out how to properly configure SPF record(s) so that emails will not be flagged as spam. From what I can work out, if we are hosting three customer domains:

customer1.com
customer2.info
customer3.co.uk

All on a machine called my-cms-uk.com

Then I need to add an SPF record for all three customer domains and also my-cms-uk.com, which all specify the IP of my-cms-uk.com as being allowed to send emails for that domain? I am not sure whether I need to add an SPF for the machine's FDQN as well.

I have tried Googling but cannot find a clear explanation of setting up SPF for multiple domains. The SPF records I am trying with specify the IP of the host, e.g.

"v=spf1 ip4:111.22.33.444 mx ~all"

Just to confuse me more, I looked at the SMTP setup of emails sent by people using mailgun and aweber and they do not seem to have the SPF setup I was expecting. For example Cal Newport (calnewport.com) has an email list that uses aweber but calnewport.com does not have an SPF record allowing aweber as an email sender?

Steve Claridge
  • 123
  • 1
  • 6

1 Answers1

8

There is no connection between them, as SPF records are set per domain, not per sending host.

If several different domains each send email coming only from one host, say mail.example.com, then each should have an SPF record like a:mail.example.com -all. Note that each makes no reference to the other domains sending from mail.example.com.

It is only important that mail.example.com have an A record pointing to the IP address of the permitted sending host for each domain.

A domain's SPF record might make reference to another domain, eg at the time of writing, hotpoint.co.uk's SPF record is include:_spf.google.com ip4:46.37.28.0/24 ip4:89.119.89.27 ip4:89.119.89.28 ip4:193.104.11.3 ~all. This includes google not because google's email also comes from hotpoint's servers, but because hotpoint's mail may come from google's infrastructure. If there are no other legitimate senders for email from each of your listed customer domains besides your single server, this complication does not apply to you.

Edit: if you are considering setting up SPF records, may I very strongly advise you not to bother if you're going to end them with ~all or ?all (or even worse, +all)? An SPF record that doesn't end with -all can't be used for anything, so is genuinely pointless; the internet doesn't care which hosts you say can send email from you, it cares which hosts you say cannot. Some mail admins here on SF use the presence of an SPF record without a terminal -all as a positive indicator of a spammy domain.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Thanks for the info. Could you clarify what "It is only important that mail.example.com have an A record pointing to the IP address of the permitted sending host for each domain." means? Also, with my calnewport.com/aweber example, calnewport.com has no SPF records at all, so I'm not clear how the aweber emails do not get flagged as spam? – Steve Claridge Feb 17 '15 at 12:42
  • It means that when I look up the A record for `mail.example.com`, I should get an IP address back, and that IP address should be the one of the mail server sending for the domain in question, whose SPF record contains `a:mail.example.com`. Whose emails get classed as spam is a decision made separately by each recipient mail server, and involves many factors, only one of which is the presence of and adherence to an SPF record. If calnewport *did* have an SPF record, it would need to list aweber, but since they don't, it doesn't. – MadHatter Feb 17 '15 at 12:45
  • Google seems to disagree with you on the use of ~all versus -all. They recommend to use ~all ? – Steve Claridge Feb 18 '15 at 13:37
  • @SteveClaridge I know they do, and IMHO they are wrong to. Their rationale seems to be that email from your domain could be refused if you put `-all` and get it wrong. My response is **yes, that's the whole point of SPF**; get your authorised sender list right, then that won't happen. They're treating SPF as if people looked to it for a list of permitted senders whose reputation should be "*boosted*"; but **no sysadmin I know uses SPF that way**. We are only interested in refusing email from non-permitted senders, and `-all` is needed to allow that. – MadHatter Feb 18 '15 at 13:47