What is the correct SPF record for using both Amazon SES and Google Apps

Random5000 picture Random5000 · Sep 22, 2013 · Viewed 12.9k times · Source

What would be the correct SPF record to use for both Amazon SES and Google Apps together:

Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.

Amazon wants: "v=spf1 include:amazonses.com -all"

Google wants: "v=spf1 include:_spf.google.com ~all"


We currently have this, combining both together:

TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"

SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"


1) Is this the correct SPF record?

2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.

We only send email from Google Apps and Amazon SES, nothing else.

Answer

Vitaly Kuznetsov picture Vitaly Kuznetsov · Jun 16, 2015
  1. Publish a TXT record:

    "v=spf1 include:_spf.google.com include:amazonses.com ~all"
    

    Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.

    If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:

    "v=spf1 include:amazonses.com ~all"
    

    It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.

    You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.

  2. According to Section 3.1 of RFC 7208:

    SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.

    Thus, SPF record type is now obsolete.

  3. Regarding your comment, here is one simple way to test whether SPF works:

    • Send emails to [email protected] from both Gmail and Amazon SES Test Email form.
    • Afterwards, search the automated reply for SPF check: pass.