What is the correct SPF record for using both Amazon SES and Google Apps

email google-apps amazon-ses spf
Random5000 picture Random5000 · Sep 22, 2013 · Viewed 12.9k times · Source

What would be the correct SPF record to use for both Amazon SES and Google Apps together:

Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.

Amazon wants: "v=spf1 include:amazonses.com -all"

Google wants: "v=spf1 include:_spf.google.com ~all"

We currently have this, combining both together:

TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"

SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"

1) Is this the correct SPF record?

2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.

We only send email from Google Apps and Amazon SES, nothing else.

Answer

Vitaly Kuznetsov picture Vitaly Kuznetsov · Jun 16, 2015

  1. Publish a TXT record:

    "v=spf1 include:_spf.google.com include:amazonses.com ~all"

    Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.

    If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:

    "v=spf1 include:amazonses.com ~all"

    It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.

    You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.

  2. According to Section 3.1 of RFC 7208:

    SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.

    Thus, SPF record type is now obsolete.

  3. Regarding your comment, here is one simple way to test whether SPF works:

    • Send emails to [email protected] from both Gmail and Amazon SES Test Email form.
    • Afterwards, search the automated reply for SPF check: pass.

Related questions

Must issue a STARTTLS command first. Sending email with Java and Google Apps

I am trying to use Bill the Lizard's code to send an email using Google Apps. I am getting this error: Exception in thread "main" javax.mail.SendFailedException: Sending failed; nested exception is: javax.mail.MessagingException: 530 5.7.0 Must issue a STARTTLS …

Read More
Setting up a no-reply email address with Google Apps

I have my domain's email set up with Google Apps, and I am interested in sending automated emails (when users register, for example) with the From and/or Reply-To field being "[email protected]". I have a few questions pertaining …

Read More
How can I avoid google mail server asking me to log in via browser?

I am trying to send emails from Django using an email configured by Google Apps, my configuration at the settings.py file looks something like this: EMAIL_HOST = 'smtp.gmail.com' EMAIL_HOST_USER = '[email protected]' EMAIL_HOST_PASSWORD = …

Read More