PTR in SPF Record

Hello,

Do I need a PTR entry in my SPF record for infocube.com.au? We have two other domains that we use to send mail as aliases from that domain. Currently the record is:

v=spf1 a mx ptr a:exploringtm1.com a:tm1explorers.com include:emsd1.com +include:_spf.google.com ~all

If not, how should I change it please?

Thanks!

John

No. PTR is deprecated, and should not be used.

I’m not really sure what this means. Can you explain?

SPF records are essentially a way to define a list of IP addresses that are authorised to send email claiming to come from a particular domain.

Your current record says:

  1. Check the A records for my domain, and if the IP matches the SPF passes. This is generally not needed if your root domain is :orange: in Cloudflare.
  2. Check the MX records for my domain, and if the IP matches the SPF passes.
  3. Do a reverse lookup for the IP, and if it matches my domain the SPF passes. Most providers ignore PTR records at this stage.
  4. Check the A records for my other domain, and if the IP matches the SPF passes. This is generally not needed if your other domain is :orange: in Cloudflare.
  5. Include the SPF records from the other two domains as well. Usually used when you are using a hosted mail solution, email marketing service etc.
1 Like

Thanks Michael.

So can I just straight out remove “PTR” from our SPF record?

Will that break the two other domains that are referred to in the SPF record?

Thanks again,

John

I’m not really sure what this means. Can you explain?

If you don’t currently have reverse DNS enabled on anything, then it’s perfectly safe.

Hi again.

So we have our primary email domain, which is Infocube.com.au. Then we have two aliases set up in Google Suite (which we use for mail) for ExploringTM1.com and TM1Explorers.com. The effect of those is that I can send or receive an email as [email protected] or [email protected] or [email protected]. All will end up being sent or received from the same Infocube.com.au mail box.

I have additional entries for those other domains in the SPF record for Infocube so they are legitimately received by the people we send email to.

Does that make sense?

Thanks again,

John

As English, it makes sense. But technically, no! :smiley:

Each alias domain needs its own SPF record. You can import another domains SPF, but you cannot “export”. If a mail server receives mail from [email protected], the mail server will look at the SPF record for tm1explorers.com.

If the only places sending email for each domain is either ActiveCampaign or Google, then the following will work:

v=spf1 include:emsd1.com include:_spf.google.com -all

You would need the exact same record on each of the three domains.

The a is not needed, as all three domains are :orange:. The mx is not needed, as all three domains have Google configured for incoming email, and the above record explicitly includes the Google SPF. The ptr will do nothing in most cases as people don’t usually have control of the reverse DNS, and it is not really honoured anyway. The a: doesn’t do what you think it does, and with :orange: hostnames will never be matched.

You should look at enabling DMARC and DKIM for the three domains also.

Wow. Ok.

So I have enabled DMARC and DKIM for all three domains. I had p=quarantine in the DMARC for all three and was then getting DMARC bounces from a heap of sites. I chatted with G Suite tech support and they told me to enter the a:tm1explorers.com and a:exploringtm1.com into the Infocube spf record to overcome it and then wait up to 48 hours for the problems to go away.

At the same time I changed to p=none, but want to flip it back to enable BIMI.

Was what she advised the correct thing to do? I have doubts now!

Thanks again,

John

According to the current DNS, a:tm1explorers.com expands to:

172.66.42.231
172.66.41.25            
2606:4700:3108:0:0:0:ac42:2ae7              
2606:4700:3108:0:0:0:ac42:2919

As those are Cloudflare proxy addresses, they will never send email on behalf of your domain (or any other domain). So I’m not sure why they would have told you to add those.

I didn’t spot the DMARC record. (Hardenize.com just has an X for your domains). A dedicated service like Dmarcian is probably better than a regular mailbox. They can process the reports into something human readable.

Let me know how the reports look in the coming days.

Thanks Michael.

Do you know anyone I can pay to set email security up the right way - so SPF, DMAC, DKIM and BIMI for all three domains?

Cheers,

John

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.