How do I add individual mail-sending websites to my SPF record?

domain-name-system spf dkim dmarc

My company, which sends @example.co email from Google Workspace, HubSpot, and Salesforce, has the following SPF record in DNS:

v=spf1 include:_spf.google.com include:_spf.salesforce.com 
include:xxxxxxxx.xxxxx.hubspotemail.net ~all

We also have three websites which send emails from @example.co addresses (e.g. Forget Password-type emails):

www.example.co (hosted by WP Engine / CNAME record in DNS)
subdomain.example.co (hosted at AWS,  no SES / A record in DNS)
microsite.com (hosted at AWS,  no SES / separate DNS)

As far as I know, there are no emails sent as @subdomain.example.co or @microsite.com.

How do I go about adding these websites to the SPF statement? What is the syntax? Would it be website URL/IPs?

And do I need to add anything to my DMARC record or add DKIM for the above?

Any help would be really appreciated!


Solution 1:

Websites don't "send" email in that sense. Servers do. As far as mail servers (and SPF validators) care, the email messages have no relationship with websites and URLs that might have produced them.

The only addresses that matter to SPF are the machines that speak SMTP – the outbound SMTP servers that are contacting the recipient's inbound MX servers. Sometimes that's indeed the same address as the webserver; but more often, it is not.

  • So if you have a server which sends mail directly (has Postfix/Exim installed), then you'll want to allow all of that server's external IP addresses.

    An easy way would be to find an "SPF generator" tool, but in short, to allow specific IP addresses you need to use the ip4: and ip6: keywords in your SPF records. Those can specify IPv4 and IPv6 addresses (or whole ranges using CIDR syntax):

    v=spf1 ip4:192.0.2.6 ip6:2001:db8:1234:asdf::/64 -all

    Integrated with your existing SPF record, it would look like:

    v=spf1 include:_spf.google.com include:_spf.salesforce.com 
    include:xxxxxxxx.xxxxx.hubspotemail.net
    ip4:192.0.2.6 ip6:2001:db8:1234:asdf::/64 
    -all

    (It might be better to continue the practice of using include:.)

    Note: All of the server's public IP addresses, even those that aren't in the website's DNS. For example, if the website's domain only has IPv4 but the server is actually IPv6-capable, then it will send mail via IPv6 and you do need to include that in your SPF.

  • If your website uses the web host provided SMTP servers, then you must include those in the SPF records – the actual webserver doesn't matter. Your webhost will tell you what IPs or what include they want you to add. (It's better to not make guesses, as the webhost might eventually move their systems around.)

  • And if you have a server which sends mail through something like Amazon SES or another third-party service, then it's that service that you need to include in SPF, and their documentation will tell you what ip4 or include tags to incorporate into your record.

Related

Replace list placeholder with Ansible
HA in k8s cluster in case of node failure pointed by A record of domain
Installing UBUNTU on a PC with win 8 and win 7 and just remove win 8 [closed]
No longer able to download YouTube using youtube-dl. How do I fix this problem?
How to install Python library from a repository?
Steam error: “You are missing the following 32-bit libraries, and steam may not run: libXtst.so.6 libgtk-x11-2.0.so.0”
Install Ubuntu alongside Windows 8 with UEFI (can't get to installation screen) on Acer Aspire E1-522
VNC Viewer unable to connect: Encryption Issue
Error loading multi-monitors extension
How to change the Xfce4 default window manager?
Cannot access Snap Store or Ubuntu Software on Ubuntu 20.04 [duplicate]
What are virtualization and KVM?