Proper SPF record
Our company emails are usually treated as spam. When we checked our score on Spamassassin, our score was pretty bad, 3.3 and the main reason was our SPF record.
We would like to update our SPF record so that we resolve this issue. However, we are not very familiar with SPF records, so we would like to get your help:
Our outside third party mail server uses three SMTP servers (let's call them 1.1.1.1, 2.2.2.2 and 3.3.3.3). Our mx is forwarded to 4.4.4.4. Currently, our mx record is the following:
v=spf1 +a +mx +ip4:1.1.1.1 +ip4:2.2.2.2 +ip4:3.3.3.3 ~all
When we tested our email, we have received the following info from mail-tester.com:
softfail domain.com.tr: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)
domain.com.tr: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)
Received-SPF: softfail (domain.com.tr: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=ns303428.ip-94-23-206.eu; identity=mailfrom; envelope-from="[email protected]"; helo=smtp.54.36.145.12.eu01.server.plus; client-ip=54.36.145.12
Any help would be appreciated!
Solution 1:
Your SPF record for the sending domain should read something like "v=spf1 a mx include:_spf.example.com ~all". Replace "_spf.example.com" with the domain for your vendor's SPF record. If they don't have one, switch vendors. Specify IP addresses if you need them as "ipv4:192.0.2.4" or "ipv4:192.0.2.64/28".
I would recommend SPF records for all your domains. Use "v=spf1 a -all" for your mail server domains and "v=spf1 -all" for all other domains not used in email addresses. The mail server domain should not be appearing in email addressses so it won't have an MX record. But the mail server will be sending mail so it needs the A record to allow host validationn to succeed. (Host valiation is a secondary use of SPF records and is used to verify that the mail server is allowed to send email rather than verifying the email address.)
Consider using a separate domain for email addresses in mail sent by your 3rd party mailer. It should have the appropriate SPF record which might not include your mail server. You can then shorten your SPF record for your domain to "v=spf1 a ~all".
I do recommend that you get to the point where you can use "-all" on the domain you use for corporate communications as soon as possible.
You should also look at implementing DKIM and DMARC as well. Once you have DMARC running you can get automated feedback on your reputation from several large email sites.