Adding an SPF record for a 3rd party, but don't have one for my own domain

If you have no SPF record then receivers will generally fail safe and accept your email (although that's starting to change). As soon as you provide an SPF record you must include all legitimate mail senders, because otherwise the ones not listed could be treated as possible forgery sources.

Strictly speaking, you can include ~all or ?all and avoid listing all your mail senders, but if you do that you won't get any benefit from the SPF record other than for testing that it's otherwise accurate.

Ideally your third parties will already have a generic SPF record and you can just add the include:spf.thirdparty.dom element to your record. If they don't you might well want to create your own record for them and chain it youself anyway, so that it's easy for you manage administratively.

For example, if you are contoso.com:

thirdparty1.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
thirdparty2.spf.contoso.com txt 'v=spf1 ... -all' # list their mail senders for you
spf.contoso.com txt 'v=spf1 ... -all'             # list your mail senders
contoso.com txt 'v=spf1 include:spf.contoso.com include:thirdpart1.spf.contoso.com include:thirdparty2.spf.contoso.com -all'

Some useful resources:

  • DMARC is subsuming SPF and DKIM, and is well worth considering. It's actively being used by Google, Yahoo, and others for validating inbound email, https://dmarc.org/overview/
  • A list of best practices when setting up an SPF record, http://www.openspf.org/Best_Practices
  • Despite the name, a useful recipe for setting up an SPF record, http://www.openspf.org/FAQ/Common_mistakes

You can put your 3rd party service in a SPF record with a neutral rule for other servers :

?all

And include at least your own mail servers with :

+mx

It's a good thing to have a SPF record on your domain. Begin to add white list and neutral for others, and when you will have an up to date SPF record with all your servers you can change the default to fail (-all) or softfail (~all).

There is a good documentation here and a lot of other useful informations on openspf.org