Each alias domain needs its own SPF record. You can import another domains SPF, but you cannot “export”. If a mail server receives mail from [email protected], the mail server will look at the SPF record for tm1explorers.com.
If the only places sending email for each domain is either ActiveCampaign or Google, then the following will work:
You would need the exact same record on each of the three domains.
The a is not needed, as all three domains are . The mx is not needed, as all three domains have Google configured for incoming email, and the above record explicitly includes the Google SPF. The ptr will do nothing in most cases as people don’t usually have control of the reverse DNS, and it is not really honoured anyway. The a: doesn’t do what you think it does, and with hostnames will never be matched.
You should look at enabling DMARC and DKIM for the three domains also.
So I have enabled DMARC and DKIM for all three domains. I had p=quarantine in the DMARC for all three and was then getting DMARC bounces from a heap of sites. I chatted with G Suite tech support and they told me to enter the a:tm1explorers.com and a:exploringtm1.com into the Infocube spf record to overcome it and then wait up to 48 hours for the problems to go away.
At the same time I changed to p=none, but want to flip it back to enable BIMI.
Was what she advised the correct thing to do? I have doubts now!
As those are Cloudflare proxy addresses, they will never send email on behalf of your domain (or any other domain). So I’m not sure why they would have told you to add those.
I didn’t spot the DMARC record. (Hardenize.com just has an X for your domains). A dedicated service like Dmarcian is probably better than a regular mailbox. They can process the reports into something human readable.
Let me know how the reports look in the coming days.