Google Apps email, GoDaddy hosting and SPF records

The other day I was setting up another web site using GoDaddy for hosting and DNS and Google Apps for email. The two Gs make a great combo since GoDaddy allows for quick domain verification right within Google Apps admin view, while their configuration tool automatically creates the necessary MX records for Google Apps. The deployment is as fast as it gets.

The issue arose when I tried to send test email from the web application using Google's SMTP servers. Apparently GoDaddy rejects all outgoing SMTP connections to any servers but its own relay-hosting.secureserver.net. Not much can be done about that,  so I guess I just have to configure my SPF records to define which servers are authorized to send emails on behalf of my domain.

For Google Apps it's a well documented procedure, just add the following TXT record:

"v=spf1 include:_spf.google.com ~all"

Now what settings to add for GoDaddy's servers? GoDaddy's SPF wizard would have me use something like this:

"v=spf1 a mx include:smtp.secureserver.net ~all"

Since I've changed my MX servers to Google's and they won't be sending any mail, the "mx" mechanism could be dropped. Same goes for "a" mechanism since, as I discovered, GoDaddy does not allow its shared hosts to send any email directly. Let's dig into the "include:smtp.secureserver.net" portion and see what's inside...

dig smtp.secureserver.net -t txt

Here's the contents of TXT record: "v=spf1 include:spf.secureserver.net -all". OK, let's dig deeper...

dig spf.secureserver.net -t txt

Now we get a whole set: "v=spf1 include:in.spf.secureserver.net include:in2.spf.secureserver.net include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net include:ext3.spf.secureserver.net include:mon.spf.secureserver.net include:exch.spf.secureserver.net -all". Yikes! Do I have to check all of these one by one?

Luckily, there's an easier way with a free online tool called SPF Parser. Just paste smtp.secureserver.net into the text field and get the entire list of all A and relevant SPF records recursively parsed.

The output contained IP address of GoDaddy's relay server, so in theory it should work, so my final SPF record becomes:

"v=spf1 include:_spf.google.com include:smtp.secureserver.net ~all"

Once new record is in place, validate it over at Scott Kitterman's site, where you can see what your domain is currently reporting, whether it's valid and whether an email sent from certain IP shall pass of fail SPF verification.