Managing Email

@DaveWP 

Based on a post from 2016 - which goes into detail about cPanel vs WorkSpace vs office365 etc etc etc

v=spf1 include:secureserver.net –all

this should give you want you need (obviously with your other elements)

I've  already tried your suggestion, but as I  said in my  original post, I cannot   use your suggestion as the spf record associated with secureserver.net now includes the spf records associated with protection.outlook.com. 

The result is  that when used with google's spf record, I  get too many nested records.

You can see all the nesting by using the following link     secureserver.net

@DaveWP 

I see what you are saying....

I guess my question is as the mx toolbox has  the IP addresses you need, can you grab them from there?? and build your SPF record from that?

Or setup an SPF record for something like spf.yourdomain.com with the IPs from secureserver.net but without the additional includes - and then just have that in your include statement (trying to keep it clean)

You reply is useful, but this goes back to  my original question:  "Which of the many IP address blocks mentioned in the spf records for   secureserver.net are needed to provide support for smtpout.secureserver.net?".

I've tried asking godaddy and they said they only provide assistance   to enable to send emails via workspace email.   My current approach  to building this list  is to rely on the email servers rejecting an email and getting the  IP address to add to my list.  This is a crapware approach.

Aghhhhhh    !*!*!*!*!*!*!*

@DaveWP 

I believe that they all have the potential to be used - but not sure as there are different platforms which use that SPF

Sorry I can't be of further help with that

Hi @DaveWP. Thanks for posting. The list of IP addresses that may send mail for secureserver.net would be very large. As far as I know, there wouldn't be a way to list them all individually. If there were, it probably wouldn't be advisable as they may change periodically. 

As @PL281 mentioned, v=spf1 include:secureserver.net -all is the correct SPF record to reference all of our mail servers. (One quick note: that is a "-" as opposed to an elongated hyphen. The code block seems to change this character when you copy it.) Based on the information here, the SPF record for secureserver.net only contributes to 4 of the 10 DNS lookup limit. Adding your domain to the mix would increase that to 5. I'm not sure what the SPF you're using from Google, but _spf.google.com only shows 3 lookups. If you could provide specific examples that can be queried, that may help the Community address your concerns. 

Part of the problem with including   just "secureserver.net" is it  pulls in 3 definition blocks from Outlook.com.  

spf1.secureserver.com includes the following     include:spf.protection.outlook.com

We get to 10 include definitions if you follow the logic below

1. My domain's SFP record
2. include spf.secureserver.net
3. include spf1.secureserver.net
4. include  spf.protection.outlook.com 
5. include   spfa.protection.outlook.com
6. include   spfb.protection.outlook.com
7. include   _spf.google.com
8. include     _netblocks.google.com
9. include  _netblocks2.google.com
10. include  _netblocks3.google.com 

Hence,   my request for a list  of IP address blocks  that  could be associated when sending emails using the Godaddy SMTP server.   (smtpout.secureserver.net).  This would not be an ideal solution.  my ideal solution would be for Godaddy to publish a spf definition,  say "spfsmtp.secureserver.net" , that I could include a reference to in my domain's spf definition.  

BTW, I used  https://www.dmarcanalyzer.com/spf/checker/ to check my spf record, and it highlighted the problem with the number of spf definition's I was dragging in.  It flagged up the problem that some mail servers may fail emails sent  where there are a large number of includes,.    This triggered my  investigations as I have experienced problems sending emails to some UK government departments  / police authorities with the above list of spf records in the hierarchy for my domain.  However, as I was on the limit I have found  some ISPs are happy .

I've struggled with authenticating messages sent from secureserver.net too. 4 lookups is just too many, and there's no reason anyone should have to authenticate outlook.com just because they use secureserver.net. The solution I've been using is to route messages from secureserver.net through Google's servers. https://support.google.com/a/answer/2956491?hl=en