SPF
SPF is pretty straight forward if you know how to add a TXT DNS records.
But the syntax can be confusing. Probably the most confusing part of SPF is the end bit, as it could take in two possibilities:
~all = softfail
-all = hardfail
Here is a sample record that adds an IP and Outlook settings:
“v=spf1 a mx ip4:a.b.c.d include:spf.protection.outlook.com -all”
Don’t ask what the difference is between – and ~, but just take it as the most confusing parameter ever.The difference between the dash and the tilde is:
The tilde and dash identify they different types of failures. Consider a message that doesn’t match the parameters specified in the SPF record. Tilde is for a softfail, the message will be accepted and marked if it doesn’t match parameters specified. Dash is for a hardfail, the message will be rejected if it doesn’t match.
Caveats with SPF
SPF records can only have 10 entries. See here:
https://support.google.com/a/answer/10685928?hl=en
Can you forward email to Google from a non-Google domain and still have SPF pass?
In our opinion, it’s impossible to forward email to Google from a non-Google domain and still have SPF pass. This is most likely due to security restrictions – how can Google be programmed to accept legitimate email from “any” domain and make it pass?
Edit: It’s possible to forward email to Google and make SPF pass. You need Postfix and root access to the server. See here:
Here is some substantiation to that claim:
https://serverfault.com/questions/613943/spf-softfail-for-forwarded-emails-to-gmail-account/613961
A typically Google fail for SPF forwarding will look like this:
After SRS implementation you have this:
More SPF guides
Hard fail versus soft fail
https://knowledge.ondmarc.redsift.com/en/articles/1148885-spf-hard-fail-vs-spf-soft-fail
DKIM
DKIM guide is quite intense but if you follow the exact guide below, and the tip, then you will be good.
Reference
https://philio.me/setting-up-dkim-with-sendmail-on-ubuntu-14-04/
If you don’t have a listener on port 8891, then follow the last answer on this post, the one about ExecStart
How to test? Well, when you’re done, send a message to Gmail, reveal entire message, and then look for PASS x 2.
Google DKIM
https://support.google.com/a/answer/174124
https://support.google.com/a/answer/180504
Other guides
Google SPF
https://support.google.com/a/answer/33786?hl=en
General SPF
https://mediatemple.net/community/products/dv/204404314/how-can-i-create-an-spf-record-for-my-domain
Include more than one SPF (DON’T ADD 2 X TXT!!!)
https://serverfault.com/questions/283125/how-to-include-multiple-domains-in-an-spf-txt-record
Office 365 @ Go Daddy