SPF is all about publishing a list of servers that are authorized to send on behalf of a domain.
SPF use case examples
To allow emails sent from both Mailchimp and GMail/Google Apps, simply include both:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
If you need to send emails as *@yourdomain.tld your self as well, include the IP address of your sending (outbound) MTA as well, either in the form of an IPv4 address:
v=spf1 ip4:87.65.43.21 include:_spf.google.com include:servers.mcsv.net ~all
Or
(if the server sending and receiving emails is the same) use the MX:
v=spf1 mx include:_spf.google.com include:servers.mcsv.net
Brizy io has 4 include domains accepted
v=spf1 a mx ptr include:_spf.google.com include:spf.sendinblue.com include:mail.zendesk.com include:spf.mailjet.com ?all
What to use before "all"
According to RFC 7208, 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS Lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier"'. The mechanisms of: "include", "mx", "a", "ptr", and "exists" count against the limit of 10 lookups. The "all, "ip4", and "ip6" mechanisms do not count against the limit of 10 since they do not require a DNS Lookup
Deprecated records
SPF use case examples
To allow emails sent from both Mailchimp and GMail/Google Apps, simply include both:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
If you need to send emails as *@yourdomain.tld your self as well, include the IP address of your sending (outbound) MTA as well, either in the form of an IPv4 address:
v=spf1 ip4:87.65.43.21 include:_spf.google.com include:servers.mcsv.net ~all
Or
(if the server sending and receiving emails is the same) use the MX:
v=spf1 mx include:_spf.google.com include:servers.mcsv.net
Brizy io has 4 include domains accepted
v=spf1 a mx ptr include:_spf.google.com include:spf.sendinblue.com include:mail.zendesk.com include:spf.mailjet.com ?all
What to use before "all"
?all
Neutral. Neither passes nor fails authentication. The SPF record doesn’t explicitly state that the IP address is authorized to send for the domain. SPF records with neutral results often use ?all
~all
Fails authentication. The server with matching IP address is not authorized to send for the domain. The SPF record doesn’t include the sending server IP address or domain so messages won’t pass authentication.
~all
Neutral. Neither passes nor fails authentication. The SPF record doesn’t explicitly state that the IP address is authorized to send for the domain. SPF records with neutral results often use ?all
~all
Fails authentication. The server with matching IP address is not authorized to send for the domain. The SPF record doesn’t include the sending server IP address or domain so messages won’t pass authentication.
~all
Softfails authentication. It's unlikely that the server with matching IP address is authorized to send for the domain. The receiving server will typically accept the message but mark it as suspicious.
how many records can include under 10 dns look limit and how
Deprecated records
ptr ( not encourage to use any more)
v=spf1 mx ptr include: