Question About Merging SPF Records

For one of my domains I set up a custom DKIM for Aweber.com and merged SPF records to do so (v=spf1 a mx include:websitewelcome.com include:send.aweber.com ~all).

TTL is “Auto” and Proxy is “DNS only”

Is this correct?

You should evaluate the use of “A” in your SPF. If you are sending email from your servers which are :orange: then the A will not apply to them, and emails sent directly from your servers will fail the SPF check. The fix is to either relay your email through one of the mail servers, or add them as ip4 entries.

~all is not very safe, and you should target getting to -all.

Make sure any CNAMEs you have created for DKIM are :grey:

Have you configured a DMARC policy?

1 Like

Hey michael, thank you very much for your answer. Forgive me, but I’m a novice and don’t really understand what you mean by “A will not apply to them, and emails sent directly from your servers will fail the SPF check.” I sometimes send emails through my own server but use Aweber.com (which is an autoresponder mail service) to send the majority. And I’m not sure what “ip4 entries” are or what a “DMARC policy” is.

If you are sending email directly from the server for example.com, then you might have used the “a” in the SPF record to cover your server. But once you set example.com to :orange: the DNS will change, and “a” will not match the actual IP address you are sending from, and might get dropped.

DMARC is another mechanism that you can use to let email receivers know whether or not email claiming to be from you is real or not. Dmarcian is a good resource, and they have a free reporting tier that is pretty good. They have some good docs that will help you with your SPF records as well.

2 Likes

Okay, I think I understand. So… how do I set it so I can send email from my server and set up DKIM for my autoresponder service? I can’t have two, so I read how to merge. But is that the wrong way to go about it?

The way we’ve worked around this is to send the email from the server through a third party service’s API such as Mailgun, Mandrill or Sendgrid. That way the server’s IP is never revealed to email recipients which could allow an attacker to bypass Cloudflare.

The other (less good) option if you want to send direct from the server is to allow an IP range e.g. ip4:1.2.3.4/16 with your server being within that range thus meaning an attacker would need to take down your entire ISPs range to be able to attack your website while also permitting your server to send. Does allow other customers of your ISP to potentially send on your behalf also hence why it’s not preferrable.

2 Likes

Could I use gsuite from Google?

This is how it’s set up with Gsuite from Google

Apologies for delay.

In theory you could create an app password on G-Suite and then, provided the website can send through a third party SMTP server, the website could send through Gmail.

Do check whether Google Terms of Service allow this however as they are quite tight on some of these things.

Hello John,

Thank you for your reply. I set my account up in GSuite and am able to send and receive emails through their system. So far I haven’t had any issues.