How do I set up an SPF record when using multiple email sending services?
Summary
What email marketers say10Marketer opinions
Email marketer from Email Geeks shares that the SPF record lists what sources are permitted to set the domain in the 5321.From (a.k.a. return-path, envelope From, MAIL FROM, bounce) address. Include your domain only if the IP address that the domain resolves to sends email that sets the 5321.From.
Email marketer from StackOverflow shares that your SPF record should include all authorized sending sources. This is achieved using the `include:` mechanism for each service. For example: `v=spf1 include:sendgrid.net include:_spf.google.com ~all`. Test your SPF record using online tools to ensure it's valid.
Email marketer from MXToolbox Forum shares if you are getting close to the 10 lookup limit, flatten your SPF record using tools that resolve the includes to IP addresses. However, remember to keep these IP addresses updated regularly.
Email marketer from Sendgrid shares some common SPF record mistakes to avoid. Firstly, do not use multiple SPF records. Also, ensure that you do not exceed the DNS lookup limit. And keep the SPF record up to date. A well-maintained SPF record is crucial for ensuring email deliverability when using multiple email sending services.
Email marketer from Quora shares it is important to regularly check your SPF record using online tools to ensure it's valid and correctly configured. This helps prevent deliverability issues and keeps your email secure.
Email marketer from SuperUser explains that avoiding long SPF records is crucial. If you have many includes, consider if some services can be consolidated or if you can use IP addresses directly (though this is less maintainable).
Email marketer from GlockApps explains that after setting up or modifying your SPF record, it's important to test it using tools like GlockApps' SPF record tester. This helps ensure that your record is valid and that email from all your sending services is properly authenticated.
Email marketer from Mailgun explains that SPF records should be carefully constructed to avoid exceeding the 10 DNS lookup limit. When using multiple services, use the `include:` mechanism wisely, and consider using a dedicated sending domain for each service to simplify SPF management. They also recommend testing your SPF record using SPF record checker tools.
Email marketer from EasyDMARC explains you need to identify all the email sending services (ESPs) you use and include their respective SPF includes in your SPF record. For example, if you use both SendGrid and Mailchimp, your SPF record should include both their SPF records: `v=spf1 include:sendgrid.net include:servers.mcsv.net ~all`. Ensure the record does not exceed the 10 DNS lookup limit.
Email marketer from Reddit explains to include all services using the 'include:' tag. `v=spf1 include:service1.com include:service2.net ~all`. If you have your own mail server, include its IP using 'ip4:' or 'ip6:'.
What the experts say5Expert opinions
Expert from Spamresource.com explains the critical steps for configuring SPF records when using multiple email senders. First, identify all authorized sending sources. Second, use the `include:` mechanism to incorporate the SPF policies of third-party senders. And third, limit the number of DNS lookups. Avoid exceeding the 10 DNS lookup limit to prevent SPF failures. Regularly review and update the SPF record to reflect changes in your sending infrastructure.
Expert from Email Geeks explains that SPF records apply to the address in your envelope from address, NOT the address that shows up in the mail client.
Expert from Email Geeks explains you should identify what the envelope from domain is for each service and publish the correct records. If you’re sending from G Suite, then you absolutely do need to include the Google record. Amazon SES you don’t need to include unless you have set up a custom bounce domain in your Amazon SES instance and then you should publish the SPF include for that custom bounce domain. Likewise, with helpscout, if you’ve set up a custom bounce domain for helpscout, you should publish the SPF record for that domain.
Expert from Wordtothewise.com explains that you should start by documenting all the services that send emails on behalf of your domain. After having that documentation you should create a SPF record that contains ALL of the sending sources, the 'a', 'mx', and 'ptr' mechanisms are not recommended. After you have created your record, test it, and then monitor the authentication reports to validate.
Expert from Email Geeks shares to send yourself emails from all 3 systems and do the “show original” or “show full headers” option. If you’re using google, google will show you something that looks like: You’ll also want to look in the header piece to see a line starting with “Return-Path:”. It is the domain in the “Return-Path:” line that is the domain you need to publish SPF for.
What the documentation says4Technical articles
Documentation from Amazon Web Services shares that if you're using Amazon SES, you should include Amazon's SES servers in your SPF record. Depending on the region, you may need to include specific regional endpoints. If you're using a custom MAIL FROM domain, ensure the SPF record is published for that domain. Otherwise, the standard Amazon SES include should suffice: `include:amazonses.com`.
Documentation from Microsoft says if you're sending email through Office 365, you need to include Office 365's SPF record. The recommended SPF record is `v=spf1 include:spf.protection.outlook.com -all`. Also ensure that this record is set up as a TXT record in your domains DNS settings.
Documentation from Google Workspace Admin Help explains that to create an SPF record for Google Workspace, you need to include Google's servers in your SPF record. The recommended SPF record is `v=spf1 include:_spf.google.com ~all`. This record should be added as a TXT record in your domain's DNS settings.
Documentation from RFC Editor explains that SPF records use a specific syntax where 'include:' is a mechanism to designate other domains' authorization policies. The 'all' mechanism specifies how to handle addresses that do not match any of the preceding mechanisms, with '-all' indicating a hard fail and '~all' indicating a soft fail.