Adding an SPF record for a 3rd party, but don't have one for my own domain

email spf

If you have no SPF record then receivers will generally fail safe and accept your email (although that's starting to change). As soon as you provide an SPF record you must include all legitimate mail senders, because otherwise the ones not listed could be treated as possible forgery sources.

Strictly speaking, you can include ~all or ?all and avoid listing all your mail senders, but if you do that you won't get any benefit from the SPF record other than for testing that it's otherwise accurate.

Ideally your third parties will already have a generic SPF record and you can just add the include:spf.thirdparty.dom element to your record. If they don't you might well want to create your own record for them and chain it youself anyway, so that it's easy for you manage administratively.

For example, if you are contoso.com:

thirdparty1.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
thirdparty2.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
spf.contoso.com txt 'v=spf1 ... -all'             # list your mail senders
contoso.com txt 'v=spf1 include:spf.contoso.com include:thirdpart1.spf.contoso.com include:thirdparty2.spf.contoso.com -all'

Some useful resources:

  • DMARC is subsuming SPF and DKIM, and is well worth considering. It's actively being used by Google, Yahoo, and others for validating inbound email, https://dmarc.org/overview/
  • A list of best practices when setting up an SPF record, http://www.openspf.org/Best_Practices
  • Despite the name, a useful recipe for setting up an SPF record, http://www.openspf.org/FAQ/Common_mistakes

You can put your 3rd party service in a SPF record with a neutral rule for other servers :

?all

And include at least your own mail servers with :

+mx

It's a good thing to have a SPF record on your domain. Begin to add white list and neutral for others, and when you will have an up to date SPF record with all your servers you can change the default to fail (-all) or softfail (~all).

There is a good documentation here and a lot of other useful informations on openspf.org

Related

Windows: How to start docker VM att system boot
Setting up Open VPN client on Amazon EC2
How to add virtual storage as SSD in KVM
How can I use a static IP address with an Application Load Balancer in a highly available manner?
Used PowerShell to change my RHEL root passwords via PuTTY, but I don't know what I changed my password to
kube-proxy won't start in Minikube because of permission denied issue with /proc/sys/net/netfilter/nf_conntrack_max
Which file system to use for portable hard drive shared among different operating systems?
What is the maximum memory that an IIS6 web site/app pool can use?
How to save settings when reinstalling Ubuntu 9.04?
Different ways of displaying documents between Adobe Reader and Preview
Force DNS server ip while connected to VPN
Dynamically change opening app according to file folder