8

We have a 3rd party service sending some email on our behalf. They are using our domain name in their outgoing emails. They have requested we configure an SPF record for them.

We do not currently have an SPF record defined for our own domain, which is the same one the 3rd party is "spoofing".

My concern is that if we add a record for a 3rd party without defining our own as well that mail originating from our servers could be rejected.

Is my concern valid?

k1DBLITZ
  • 213
  • 2
  • 7
  • How hard will it be for you to create one? – Michael Hampton Nov 05 '15 at 21:53
  • Not difficult. The potential problem, as I see it, is that there are multiple 3rd party services we are using that are currently spoofing our domain and if I don't add SPF records for them all, that by adding only 1 I could invalidate the others when the random receiving mail servers lookup the SPF record for our domain and see the names/IP's don't match. – k1DBLITZ Nov 05 '15 at 21:56

2 Answers2

9

If you have no SPF record then receivers will generally fail safe and accept your email (although that's starting to change). As soon as you provide an SPF record you must include all legitimate mail senders, because otherwise the ones not listed could be treated as possible forgery sources.

Strictly speaking, you can include ~all or ?all and avoid listing all your mail senders, but if you do that you won't get any benefit from the SPF record other than for testing that it's otherwise accurate.

Ideally your third parties will already have a generic SPF record and you can just add the include:spf.thirdparty.dom element to your record. If they don't you might well want to create your own record for them and chain it youself anyway, so that it's easy for you manage administratively.

For example, if you are contoso.com:

thirdparty1.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
thirdparty2.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
spf.contoso.com txt 'v=spf1 ... -all'             # list your mail senders
contoso.com txt 'v=spf1 include:spf.contoso.com include:thirdpart1.spf.contoso.com include:thirdparty2.spf.contoso.com -all'

Some useful resources:

roaima
  • 1,591
  • 14
  • 28
7

You can put your 3rd party service in a SPF record with a neutral rule for other servers :

?all

And include at least your own mail servers with :

+mx

It's a good thing to have a SPF record on your domain. Begin to add white list and neutral for others, and when you will have an up to date SPF record with all your servers you can change the default to fail (-all) or softfail (~all).

There is a good documentation here and a lot of other useful informations on openspf.org

MadHatter
  • 79,770
  • 20
  • 184
  • 232
mick
  • 735
  • 6
  • 7
  • Part of the problem I am facing is I do not have an up to date list of all the other companies sending email on our behalf. Are you saying if I use your approach I can add them to the SPF records as they are discovered without impacting our production mail flow?Can you provide a specific example syntax with fictitious domains? I've been reviewing the information you linked and it's very helpful, but I cannot afford to get this wrong. – k1DBLITZ Nov 06 '15 at 01:39
  • You can do it by step : first add your 3rd party service, your mx, and neutral for all others : "a:your3rppart mx ?all". Then update your SPF with other servers. We you think you have them all change the default policy to softfail or fail – mick Nov 06 '15 at 07:54
  • 2
    Seriously, SPF without `-all` is not only completely pointless, but some admins use it as an active sign of spammers. Don't do it. – MadHatter Nov 06 '15 at 08:22
  • ?all is better then -all if you don't know what your doing, DMARC policies still apply to ?all the same as -all and a lot of big ESP'S don't care about -all anymore because of the first statement – Jacob Evans Nov 06 '15 at 13:15
  • *Seriously, SPF without -all is not only completely pointless, but some admins use it as an active sign of spammers. Don't do it* - then they should correct their broken systems which aren't following the SPF specification; "*If domain owners choose to publish SPF records, it is RECOMMENDED that they end in "-all"*" - https://www.ietf.org/rfc/rfc4408.txt - It's not mandatory. SoftFail is a distinct state. – TessellatingHeckler Nov 10 '15 at 01:01