The +a part of SPF records
Solution 1:
To give a valid example of how to use the a
-mechanism with an FQDN other than the current SPF record, here is a few options:
a
mechanism with a domain name as argument (and how it expands):
v=spf1 a:server-1.example.com a:server-2.example.com -all
v=spf1 123.456.789.13 123.456.789.14 -all
a
mechanism with a CIDR prefix as argument (and how it expands):
v=spf1 a/24 -all
v=spf1 123.456.789.12/24 -all
You can either use a specific FQDN to lookup (server-1.example.com
) and then trust the registered IP address(es) for that host, or you can perform a lookup on the current FQDN - that is, the domain name for which we are currently performing the SPF check for. You can then add a prefix to specify an entire network segment around the resulting IP address(es).
Both of the above examples will work for you domain, given the details in your question, but I would recommend the first option.
One more thing:
a
is the same as +a
The +
qualifier is the default qualifier, no need for that.
Solution 2:
a
would only include the a record(s) of example.com, unless you explicitely specify a hostname eg.a:server-1.example.com
. if your servers all have ips in the same subnet you could for example specify a/24
which would include example.com's A record and all ips in the same /24
see http://www.openspf.org/SPF_Record_Syntax#a