SPF record for relay server
The best practice is for an organization to add to SPF all email hosts authorized to send email on behalf of their domain.
Usually that includes your local servers and the hosts you trust to do relay work on your behalf. Failing to include those relays will impact mail delivery that happens through those hosts.
Deciding if those relays are trustworthy or not, and if the deliver risks are acceptable is up to you of course.
As an example, Google Apps customers are recommended to use include:_spf.google.com in their SPF records to authorize Gmail servers on their behalf.
Related videos on Youtube
![dkaeae](https://i.stack.imgur.com/xDeDD.png?s=256&g=1)
dkaeae
Updated on September 18, 2022Comments
-
dkaeae almost 2 years
Obviously my own mail servers should be marked as "allow" in an SPF record, but I'm not so sure about mail relays (e.g. my ISP). Since other people (not related at all with my server) also send email through the same relay, it seems to me the most appropriate choice would be listing the relays as "neutral" like:
v=spf1 ip4:myserverip ?include:_spf.myisp.com -all
Is this common practice? Or is there some better option?
-
Aaron over 8 yearsIf you send emails from both locations as your domain, then yes you would need SPF for both. And that does mean others on your ISP could email as you. You must determine if that risk is acceptable to your org/business. It is not uncommon for businesses to add shared campaign providers in their SPF. ISP is a different set of folks you have to decide if you want to trust.
-
dkaeae over 8 yearsAnd neutral is the best choice here? Or is allow also OK? If I use neutral, then DKIM seems to be a must, because any mail not delivered locally gets forwarded to the relay.
-