===== Question "SPF record settings", by Cliff H. ===== Which IP addresses or name servers are required to set a correct SPF record? mail.gandi.net is not the real server seen by the SMTP servers on the internet which has to be authorised in the SPF record. ===== Answer, by Gandi ===== Our mail relays are all within the same 21-bit prefix length, but spread across a number of different LANs for resilience purposes. Here is an SPF record that should work for your domain if you use the gandi mail servers: IN SPF "v=spf1 ip4:217.70.176.0/21 ?all" IN TXT "v=spf1 ip4:217.70.176.0/21 ?all" or IN SPF "v=spf1 include:_mailcust.gandi.net ?all" IN TXT "v=spf1 include:_mailcust.gandi.net ?all" ; included TXT version for backwards compatibility with ; old SPF lookup mechanisms. ===== Follow-up, by Olivier B. ===== I just made the change as described in this post but in mails received on Gmail, i can see this spf=softfail error: Return-Path: Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by mx.google.com with ESMTP id n2si5231997wba.74.2010.08.13.19.48.21; Fri, 13 Aug 2010 19:48:22 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning xxx@drupeda.net does not designate 217.70.183.194 as permitted sender) client-ip=217.70.183.194; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning xxx@drupeda.net does not designate 217.70.183.194 as permitted sender) smtp.mail=xxx@drupeda.net X-Originating-IP: 217.70.178.37 Received: from mfilter3-v.gandi.net (mfilter3-v.gandi.net [217.70.178.37]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 84C89225145 for ; Sat, 14 Aug 2010 04:48:21 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter3-v.gandi.net It seems that the command given is incomplete and produce errors Olivier Brisson domain: drupeda.net ===== Follow-up, by Leland V. (Gandi) ===== Your current SPF record does not match the suggested one that we provided. Yours is currently set to this: "v=spf1 a:217.70.178.64/27 ~all" The server that was used for sending the mail was 217.70.183.194 which is not within the permitted mask of your SPF record. We have several mail servers for outgoing mail which are spread across several different subnets and they should all be permitted by your SPF record. Please try the example already given above with the "include:", or set the a: directive to 217.70.176.0/21 which will match all of the possible outbound MTAs. Hope this helps. ===== Follow-up, by Ludovic D. ===== A shame that Gandi's own DNS config tool does not allow to define an SPF field, even in Expert mode. I guess I'll live with the TXT only. ===== Follow-up, by Lyn H. ===== Why isn't is possible to add a SPF instead of TXT line? How is it possible to test this against a particular destination server? ===== Follow-up, by Blanc F. ===== When will Gandi's DNS config tools allow us to also define DNS RR of type SPF? The gandi.net domain is already containing resource records of type SPF, so why denying your own clients that kind of records? # dig gandi.net SPF +short "v=spf1 ip4:217.70.176.0/21 ip6:2001:4b98:c::/48 ptr ?all"