How do I add individual mail-sending websites to my SPF record?
My company, which sends @example.co email from Google Workspace, HubSpot, and Salesforce, has the following SPF record in DNS:
v=spf1 include:_spf.google.com include:_spf.salesforce.com
include:xxxxxxxx.xxxxx.hubspotemail.net ~all
We also have three websites which send emails from @example.co addresses (e.g. Forget Password-type emails):
www.example.co (hosted by WP Engine / CNAME record in DNS)
subdomain.example.co (hosted at AWS, no SES / A record in DNS)
microsite.com (hosted at AWS, no SES / separate DNS)
As far as I know, there are no emails sent as @subdomain.example.co or @microsite.com.
How do I go about adding these websites to the SPF statement? What is the syntax? Would it be website URL/IPs?
And do I need to add anything to my DMARC record or add DKIM for the above?
Any help would be really appreciated!
Solution 1:
Websites don't "send" email in that sense. Servers do. As far as mail servers (and SPF validators) care, the email messages have no relationship with websites and URLs that might have produced them.
The only addresses that matter to SPF are the machines that speak SMTP – the outbound SMTP servers that are contacting the recipient's inbound MX servers. Sometimes that's indeed the same address as the webserver; but more often, it is not.
-
So if you have a server which sends mail directly (has Postfix/Exim installed), then you'll want to allow all of that server's external IP addresses.
An easy way would be to find an "SPF generator" tool, but in short, to allow specific IP addresses you need to use the
ip4:
andip6:
keywords in your SPF records. Those can specify IPv4 and IPv6 addresses (or whole ranges using CIDR syntax):v=spf1 ip4:192.0.2.6 ip6:2001:db8:1234:asdf::/64 -all
Integrated with your existing SPF record, it would look like:
v=spf1 include:_spf.google.com include:_spf.salesforce.com include:xxxxxxxx.xxxxx.hubspotemail.net ip4:192.0.2.6 ip6:2001:db8:1234:asdf::/64 -all
(It might be better to continue the practice of using
include:
.)Note: All of the server's public IP addresses, even those that aren't in the website's DNS. For example, if the website's domain only has IPv4 but the server is actually IPv6-capable, then it will send mail via IPv6 and you do need to include that in your SPF.
-
If your website uses the web host provided SMTP servers, then you must include those in the SPF records – the actual webserver doesn't matter. Your webhost will tell you what IPs or what
include
they want you to add. (It's better to not make guesses, as the webhost might eventually move their systems around.) -
And if you have a server which sends mail through something like Amazon SES or another third-party service, then it's that service that you need to include in SPF, and their documentation will tell you what
ip4
orinclude
tags to incorporate into your record.