SPF Records for Google Apps Mail
-
We use Google Apps for email and I'm looking to put some SPF records in place for our email service to ensure we are not blacklisted by spoofing of our mail domain. From what I've researched is it really as simple as entering the following text record in my DNS provider's record entries for our domain?
v=spf1 include:_spf.google.com ~all -
@RamblingBiped
Yes, but you may want to use - instead of ~
a ~ is a softfail, will still allow messages through, just shows up as SPF failure in email headers.
a - is hard fail, shuts those spoofers down. -
If you do a hard fail, which I recommend, make sure you include any IP/host that legitimately send mail for your domain.
-
So if I do the soft fail then it will just notify receivers whether or not the message is legitimate, but if I do a hard fail it will block any messages that are not legitimate?
-
Yes, if the spoofing host is sending email from an address that isnt included in spf.google.com and you have hard fail on, that message should be dropped by the receiving email server when it does its spf check. Softfail leaves it up to the discretion of the receiving server, but usually will just tag the message with Softfail and deliver it.
-
Our google record : v=spf1 a mx include:_spf.google.com ~all
Soft fail aids troubleshooting when legitimate mail isn't being delivered. We're monitoring for the soft fail tag so we'll know right away if we're getting hit.
-
@TAHIN So I should be able to get away with the same entry as what you have then? What does the addition of "a mx" add?
-
@RamblingBiped said in SPF Records for Google Apps Mail:
So if I do the soft fail then it will just notify receivers whether or not the message is legitimate, but if I do a hard fail it will block any messages that are not legitimate?
This assumes the receiving email server respects the SPF record.
-
@RamblingBiped said in SPF Records for Google Apps Mail:
@TAHIN So I should be able to get away with the same entry as what you have then? What does the addition of "a mx" add?
The MX record is the original record for sending SMTP mail. SPF was added much later, and isn't supported by all systems.
-
Sorry, was on vacation.
@RamblingBiped said in SPF Records for Google Apps Mail:
@TAHIN So I should be able to get away with the same entry as what you have then? What does the addition of "a mx" add?
Adding the 'a mx' parameters indicates that only servers that match a public A record or public MX record of your domain are allowed to send. Generally, just saying MX is enough - you're telling the recipient to fail the mail unless the sending IP matches the IP address of one of your domain's MX records, effectively eliminating spoofing. We added 'A' to give us the flexibility to source email from an application or DMZ server. The include: parameter overrides these defaults, allowing Google to proxy.
80% of the reason we (and most companies) implement SPF is to protect their own organization from incoming spearphishing via domain spoofing. The fact that it isn't 100% adopted by all organizations shouldn't be a deterrent to use it.
