Google Apps email, GoDaddy hosting and SPF records

The other day I was setting up another web site using GoDaddy for hosting and DNS and Google Apps for email. The two Gs make a great combo since GoDaddy allows for quick domain verification right within Google Apps admin view, while their configuration tool automatically creates the necessary MX records for Google Apps. The deployment is as fast as it gets.

The issue arose when I tried to send test email from the web application using Google's SMTP servers. Apparently GoDaddy rejects all outgoing SMTP connections to any servers but its own relay-hosting.secureserver.net. Not much can be done about that,  so I guess I just have to configure my SPF records to define which servers are authorized to send emails on behalf of my domain.

For Google Apps it's a well documented procedure, just add the following TXT record:

"v=spf1 include:_spf.google.com ~all"

Now what settings to add for GoDaddy's servers? GoDaddy's SPF wizard would have me use something like this:

"v=spf1 a mx include:smtp.secureserver.net ~all"

Since I've changed my MX servers to Google's and they won't be sending any mail, the "mx" mechanism could be dropped. Same goes for "a" mechanism since, as I discovered, GoDaddy does not allow its shared hosts to send any email directly. Let's dig into the "include:smtp.secureserver.net" portion and see what's inside...

dig smtp.secureserver.net -t txt

Here's the contents of TXT record: "v=spf1 include:spf.secureserver.net -all". OK, let's dig deeper...

dig spf.secureserver.net -t txt

Now we get a whole set: "v=spf1 include:in.spf.secureserver.net include:in2.spf.secureserver.net include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net include:ext3.spf.secureserver.net include:mon.spf.secureserver.net include:exch.spf.secureserver.net -all". Yikes! Do I have to check all of these one by one?

Luckily, there's an easier way with a free online tool called SPF Parser. Just paste smtp.secureserver.net into the text field and get the entire list of all A and relevant SPF records recursively parsed.

The output contained IP address of GoDaddy's relay server, so in theory it should work, so my final SPF record becomes:

"v=spf1 include:_spf.google.com include:smtp.secureserver.net ~all"

Once new record is in place, validate it over at Scott Kitterman's site, where you can see what your domain is currently reporting, whether it's valid and whether an email sent from certain IP shall pass of fail SPF verification.

SPF record for google hosted domain

After I moved some of my email infrastructure to Google, I decided to add one more optional, but important step and create custom SPF record for that domain. Sender Policy Framework (SPF) allows domain owners to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain by creating a specific DNS TXT record. Google's help page recommends the following:

v=spf1 include:aspmx.googlemail.com ~all

However, a lot of people found that it doesn't work all the time, and alternatively suggest the following:

v=spf1 a mx include:aspmx.googlemail.com include:_spf.google.com ~all

Since I'm still planning to send some of my emails from PHP scripts on my site I also included my web host's domain:

v=spf1 a mx include:aspmx.googlemail.com include:_spf.google.com include:bluehost.com ~all

This should make any spoofed messages, that claim to come from my domain, appear like the fakes that they are. Unless, of course, they were sent from Bluehost's or Google's servers. Umm... well that should reduce the amount by at least a little bit.