SPF is pretty straight forward if you know how to add a TXT DNS records.
But the syntax can be confusing. Probably the most confusing part of SPF is the end bit, as it could take in two possibilities:
~all = softfail
-all = hardfail
Here is a sample record that adds an IP and Outlook settings:
“v=spf1 a mx ip4:a.b.c.d include:spf.protection.outlook.com -all”
Don’t ask what the difference is between – and ~, but just take it as the most confusing parameter ever.The difference between the dash and the tilde is:
The tilde and dash identify they different types of failures. Consider a message that doesn’t match the parameters specified in the SPF record. Tilde is for a softfail, the message will be accepted and marked if it doesn’t match parameters specified. Dash is for a hardfail, the message will be rejected if it doesn’t match.
Caveats with SPF
SPF records can only have 10 entries. See here:
Can you forward email to Google from a non-Google domain and still have SPF pass?
In our opinion, it’s impossible to forward email to Google from a non-Google domain and still have SPF pass. This is most likely due to security restrictions – how can Google be programmed to accept legitimate email from “any” domain and make it pass?
Edit: It’s possible to forward email to Google and make SPF pass. You need Postfix and root access to the server. See here:
Here is some substantiation to that claim:
A typically Google fail for SPF forwarding will look like this:
After SRS implementation you have this:
More SPF guides
Hard fail versus soft fail
DKIM guide is quite intense but if you follow the exact guide below, and the tip, then you will be good.
If you don’t have a listener on port 8891, then follow the last answer on this post, the one about ExecStart
How to test? Well, when you’re done, send a message to Gmail, reveal entire message, and then look for PASS x 2.
Include more than one SPF (DON’T ADD 2 X TXT!!!)
Office 365 @ Go Daddy