The issue arose when I tried to send test email from the web application using Google's SMTP servers. Apparently GoDaddy rejects all outgoing SMTP connections to any servers but its own
relay-hosting.secureserver.net. Not much can be done about that, so I guess I just have to configure my SPF records to define which servers are authorized to send emails on behalf of my domain.
For Google Apps it's a well documented procedure, just add the following TXT record:
"v=spf1 include:_spf.google.com ~all"
Now what settings to add for GoDaddy's servers? GoDaddy's SPF wizard would have me use something like this:
"v=spf1 a mx include:smtp.secureserver.net ~all"
Since I've changed my MX servers to Google's and they won't be sending any mail, the "mx" mechanism could be dropped. Same goes for "a" mechanism since, as I discovered, GoDaddy does not allow its shared hosts to send any email directly. Let's dig into the "include:smtp.secureserver.net" portion and see what's inside...
dig smtp.secureserver.net -t txt
Here's the contents of TXT record:
"v=spf1 include:spf.secureserver.net -all". OK, let's dig deeper...
dig spf.secureserver.net -t txt
Now we get a whole set:
"v=spf1 include:in.spf.secureserver.net include:in2.spf.secureserver.net include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net include:ext3.spf.secureserver.net include:mon.spf.secureserver.net include:exch.spf.secureserver.net -all". Yikes! Do I have to check all of these one by one?
Luckily, there's an easier way with a free online tool called SPF Parser. Just paste
smtp.secureserver.net into the text field and get the entire list of all A and relevant SPF records recursively parsed.
The output contained IP address of GoDaddy's relay server, so in theory it should work, so my final SPF record becomes:
"v=spf1 include:_spf.google.com include:smtp.secureserver.net ~all"
Once new record is in place, validate it over at Scott Kitterman's site, where you can see what your domain is currently reporting, whether it's valid and whether an email sent from certain IP shall pass of fail SPF verification.