We are looking to expand SPF records to several of our subdomains and
clients' domains. We have 2 IP addresses which send outbound mail, which
would be the same for most of our clients and subdomains. Rather than
list these IPs in the SPF records for each client/subdomain, I think
using include: may be more appropriate in case we need to change the IP
in the future.
Then I got wondering, should I do really have all these other domains
include our top domain? What if we want to allow few more IP addresses
to send mail as @uwo.ca? I don't want to authorize that IP to send mail
as every other domain that's including us.
This is our current SPF record:
uwo.ca "v=spf1 ip4:129.100.74.146 ip4:129.100.74.147 ~all"
I'm thinking of laying things out in the following way:
_spf.uwo.ca "v=spf1 ip4:129.100.74.146 ip4:129.100.74.147 ~all"
uwo.ca "v=spf1 include:_spf.uwo.ca ~all"
its.uwo.ca "v=spf1 include:_spf.uwo.ca ~all"
This way its.uwo.ca (and others) wouldn't need to update their records
if we had to change our outbound mail servers and we could add
additional entries to uwo.ca without affecting all the other domains.
My only concern is the extra lookups caused by include. Is this a big
deal? Would others recommend the setup I described?
The description of how include works is also a bit unclear. If
_spf.uwo.ca was to end with a "-all", would an SPF check on its.uwo.ca
result in a FAIL or SOFTFAIL? I haven't tested this myself.
Thanks in advance,
Andrew
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
clients' domains. We have 2 IP addresses which send outbound mail, which
would be the same for most of our clients and subdomains. Rather than
list these IPs in the SPF records for each client/subdomain, I think
using include: may be more appropriate in case we need to change the IP
in the future.
Then I got wondering, should I do really have all these other domains
include our top domain? What if we want to allow few more IP addresses
to send mail as @uwo.ca? I don't want to authorize that IP to send mail
as every other domain that's including us.
This is our current SPF record:
uwo.ca "v=spf1 ip4:129.100.74.146 ip4:129.100.74.147 ~all"
I'm thinking of laying things out in the following way:
_spf.uwo.ca "v=spf1 ip4:129.100.74.146 ip4:129.100.74.147 ~all"
uwo.ca "v=spf1 include:_spf.uwo.ca ~all"
its.uwo.ca "v=spf1 include:_spf.uwo.ca ~all"
This way its.uwo.ca (and others) wouldn't need to update their records
if we had to change our outbound mail servers and we could add
additional entries to uwo.ca without affecting all the other domains.
My only concern is the extra lookups caused by include. Is this a big
deal? Would others recommend the setup I described?
The description of how include works is also a bit unclear. If
_spf.uwo.ca was to end with a "-all", would an SPF check on its.uwo.ca
result in a FAIL or SOFTFAIL? I haven't tested this myself.
Thanks in advance,
Andrew
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com