What is the correct SPF record for using both Amazon SES and Google Apps

Question

What would be the correct SPF record to use for both Amazon SES and Google Apps together:

Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.

Amazon wants: "v=spf1 include:amazonses.com -all"

Google wants: "v=spf1 include:_spf.google.com ~all"

---

We currently have this, combining both together:

TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"

SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"

---

1) Is this the correct SPF record?

2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.

We only send email from Google Apps and Amazon SES, nothing else.

Answer 1

1. Publish a TXT record:

   "v=spf1 include:_spf.google.com include:amazonses.com ~all"
   

   Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.

   If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:

   "v=spf1 include:amazonses.com ~all"
   

   It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.

   You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.

2. According to Section 3.1 of RFC 7208:

   SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.

   Thus, SPF record type is now obsolete.

3. Regarding your comment, here is one simple way to test whether SPF works:

   • Send emails to check-auth@verifier.port25.com from both Gmail and Amazon SES Test Email form.
   • Afterwards, search the automated reply for SPF check: pass.

Answer 2

The correct is to include each sender in the SPF, regarding the - or ~ it is the SPF properties

"-" = only the listed hosts are permitted

"~" = the listed hosts should send but might exist another sender.

If you are 100% sure that you have all the listed senders you can change the ~ for - BUT you should not maintain both.

TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"

http://www.open-spf.org/SPF_Record_Syntax/

Answer 3

After many months trying to create correct SPF record and prevent my emails from Amazon classified as SPAM I've found that SPF syntax validator is exist. Using a Validator and SPF Policy Tester I was able to create SPF record that suites my requirements.

Gmail:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.google.com +mx ?all

Yandex:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.yandex.net +mx ?all