cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

What are the correct GoDaddy SPF Settings For DNS to send mail?

We are getting SPAM alerts on any mail we send.

 

What is the correct SPF settings to use with GoDaddy?

 

I have the following options:

  1. v=spf1 include:secureserver.net -all
  2. v=spf1 mx include:secureserver.net -all
  3. v=spf1 a mx include:secureserver.net ~all
  4. v=spf1 a mx ptr include:secureserver.net ~all
  5. v=spf1 +a +mx include:spf.secureserver.net ~all

I was told by GoDaddy to use the first option. It does not look right at all. Especially with the hard fail.

 

I think the correct answer is:

  • v=spf1 +a +mx include:spf.secureserver.net ~all

 

 

34 REPLIES 34

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

When I use http://www.kitterman.com/spf/validate.html to validate the SPF setting, it generates an error of:

 

PermError SPF Permanent Error: Too many DNS lookups

 

For

 

v=spf1 +a +mx include:spf.secureserver.net ~all

 

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.

 

When I examine spf.secureserver.net using http://mxtoolbox.com/spf.aspx, it has way too many lookups to function.

 

Which means the SPF check is never completed, and all your emails always get marked as SPAM.

 

Community Manager
Community Manager
Solution

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hi @WesternGuy. Thanks for being part of GoDaddy Community!

 

The SPF record you should use depends on the email service you're using with us. Here's the information I have:

  • Workspace Email: v=spf1 mx include:secureserver.net -all
  • cPanel Email: v=spf1 a mx ptr include:secureserver.net ~all
  • Office 365 Email: v=spf1 include:spf.protection.outlook.com -all

That should at least help you get the right record. Hopefully other community members will be able to add other things you can check to lower your chances for your mail to  be marked from spam. 

 

 

UPDATE: Since the above was written, we have updated our SPF records. You should only need to use this record if you use any of our email services:

 

v=spf1 include:secureserver.net –all

 

JesseW - GoDaddy | Community Manager | 24/7 support available at x.co/247support | Remember to choose a solution and give kudos.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

When I test your SPF settings with http://www.kitterman.com/spf/validate.html and http://mxtoolbox.com/spf.aspx I get error reports of Too many DNS lookups

 

For example, this is one report:

SPF record lookup and validation for: sabas.com

PF records are published in DNS as TXT records.

The TXT records found for your domain are:

v=spf1 a mx ptr include:secureserver.net ~all

Checking to see if there is a valid SPF record.

Found v=spf1 record for sabas.com:

v=spf1 a mx ptr include:secureserver.net ~all

evaluating...

Results - PermError SPF Permanent Error: Too many DNS lookups

Community Manager
Community Manager

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

@WesternGuy Could you specify exactly what you're testing when you see that error? I wasn't able to duplicate that when using the correct SPF records. The record spf.secureserver.net is no longer in use (if that's the one you tested with). 

 

JesseW - GoDaddy | Community Manager | 24/7 support available at x.co/247support | Remember to choose a solution and give kudos.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I have been testing with multiple variations of the SPF statement. I have only posted the results from 

  • v=spf1 a mx ptr include:secureserver.net ~all
  • v=spf1 +a +mx include:spf.secureserver.net ~all

I have actually tested ALL of the following:

  • v=spf1 include:Secureserver.net -all
  • v=spf1 include:secureserver.net ~all
  • v=spf1 mx include:secureserver.net -all
  • v=spf1 a mx include:secureserver.net ~all
  • v=spf1 a mx ptr include:secureserver.net ~all
  • v=spf1 +a +mx include:spf.secureserver.net -all
  • v=spf1 include:spf.secureserver.net -all
  • v=spf1 include:spf200.secureserver.net ~all
  • v=spf1 +a +mx include:spf200.secureserver.net ~all
  • v=spf1 +a +mx include:spf100.secureserver.net ~all
  • v=spf1 include:spf100.secureserver.net include:spf200.secureserver.net ~all
  • v=spf1 include:spf100.secureserver.net ~all
  • v=spf1 include:spf200.secureserver.net ~all

All generated errors or failed in certain instances.

 

That is until today. Now, v=spf1 include:secureserver.net -all seems to work without error on both http://mxtoolbox.com/spf.aspx and http://www.kitterman.com/spf/validate.html

 

I have screen captures of when they failed because those were the very first ones I started off with trying to get something to work.

 

I really don't want to be an expert at this. I just want to get order and delivery confirmations to my customers reliably and consistently.

 

If you have a question about accounting, then I am the guy to go to. I am really good at it.

 

If you have a question about western wear, then my family has been selling the best gear to Arizona's greatest cowboys for over 89 years at www.Sabas.com. For knowledge about western goods, I am exceptional.

 

If GoDaddy is looking to me solve the issue of SPF records, then they have the wrong guy.

 

I feel like GoDaddy has really let me and my business down in this regrard.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

As for the test I am using to judge performance, it is simple.

 

I send an email from Service@Sabas.com to any person with a Name@Gmail.com email address.

 

If that email arrives in their Gmail inbox with a Big Red Questions Mark saying the email may have originated from SPAMMERS, then I call that a failure.

 

See the attached screenshot.

 

If I see in the Gmail header a line like "service@sabas.com does not designate 173.201.192.235 as permitted sender", then I call that a failure.

 

If your mail system is untrusted by GMail which has over 1 BILLION monthly users, then I call that a failure of epic proportions.

Moderator
Moderator

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hey @WesternGuy,

 

It's sounding like you may have inserted the SPF value into your domain and didn't allow time for propagation. Keep in mind that when making any DNS update you have allow propagation time for the changes to be in full effect before testing. Depending on the changes made it can take anywhere from a few moments to 24 hours. 

 

We just had the "v=spf1 include:secureserver.net ~all" value tested with another domain. We've also sent a test message from the domain to a Gmail test account on our end and were able to generate the following result in our test message headers:

spf=pass (google.com: domain of scott@**********.com designates 68.178.252.170 as permitted sender) smtp.mailfrom=scott@**********.com

Unfortunately, we're not seeing any "Red Question Mark" as indicated in the screenshot provided. If these are still the results being generated on your side after 24 hours of applying the SPF changes to your domain, I'd recommend reaching out to our live support so our Domain/Email teams can investigate further. 

 

CG - GoDaddy | Community Moderator
24/7 support available at x.co/247support

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Most of the tests were beyond 24 hours.

 

The SPF testing tools used show what SPF settings they pulled live to confirm what is being tested.

 

If it failed in the testing tools, it was going to fail on Google Gmail.

 

As for speaking with Live support, their response was it was a customization and that I was pretty much on my own, but I should go the forums for help. Thus, here I am.

 

To say I was unimpressed with the support I have received is an understatement of the year. I do not consider working email a customization.

 

That is like buying a car and saying the headlights are a customization.

 

So now I am to go back to the people who told to me to pretty much get lost? Yeah, right.

 

 

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

What I can't figure out is why a cowboy accountant knows more about SPF than actual internet experts? That is just embarrassing.

 

I actually have to experiment like I am pioneer searching for the cure for cancer. Like no one has ever asked this question before.

Resolver I

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I'm working on my SPF settings as well and found this post at least helped get the gmail question mark removed from my emails. Thanks for sharing your troubles in the community, please keep doing so. I am currently using this which fails the kitterman SPF test but passes gmail SPF check:

 

v=spf1 a mx include:secureserver.net -all

 

To avoid confusion it is the same as this with the plus signs, plus means pass, minus means fail as in fail all others at the end -all:

 

v=spf1 +a +mx +include:secureserver.net -all

 

The SPF Test at kitterman.com fails with an error Too Many DNS lookups (12).  If I remove one of the 'mechanisms' as the specs call them, remove the +a or the +mx for example, then I pass the kitterman test indicating fewer DNS lookups. So I moved from 12 to under 10 lookups per the kitterman.com test (I assume the number of A records are the underlying cause).

 

Gmail doesn't seem to care that I have 12 lookups. When I send myself an email I can click the down arrow >> show original in gmail and see the line mentioned by others in this post. I was thinking to try to get under 10 lookups, but just now decided to give it a rest and move onto DKIM.

 

If you have a post on DKIM using Outlook and a dedicated server please post a link here or message me. I think most people looking at SPF will be looking for that info next.

 

Just a side note. At one point I was using this as an SPF record which has redundant lookups. It shows the use of ? question mark as a neutral result versus a pass on the Godaddy mail server CIDR 208.109.80.0/22 and mail server domain name secureserver.net. The point being that if mail was really originating from my server than it should be covered by the +a, +mx, and +ip4 domain IP address. But that is not happening and I have to assume it's just the way the servers are setup. DON'T USE THIS ONE.

 

v=spf1 +a +mx +ip4:123.12.12.1123 ?ip4:208.109.80.0/22 ?include:secureserver.net -all

 

SPF Test.
http://www.kitterman.com/spf/validate.html

SPF Record Syntax
http://www.openspf.org/SPF_Record_Syntax

 

.....................................................................................
Domainer, Web Developer, JohnNapoletano.com

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I can confirm that this "v=spf1 a mx ptr include:secureserver.net ~all" does NOT work on any of my GoDaddy cPanel email accounts. However, this "v=spf1 mx include:secureserver.net -all" does seem to work. 

 

Why? Is the information JesseW provided inaccurate?

Moderator
Moderator

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hey @idealynx,

 

The info provided earlier should be accurate. If the WorkSpace SPF is what's working for your domain, sounds like you have both WorkSpace and cPanel mail setup on the domain name, which will cause conflicts. You'll need to remove the WorkSpace account so that the cPanel SPF can function properly. 

 

CG - GoDaddy | Community Moderator
24/7 support available at x.co/247support
Resolver I

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hi @CG

 

Any opinion on ~ softfail vs - hardfail?

 

  • cPanel Email: v=spf1 a mx ptr include:secureserver.net ~all
  • cPanel Email: v=spf1 a mx ptr include:secureserver.net -all

For some reason softfail was recommended above. Personally I agree with those who say SPF is useless if you don't hardfail. I will of course change that opinion if I start getting indications that my mail is not getting through LOL.

 

A followup from my previous post above I am now using this on my cPanel email:

 

v=spf1 a mx ptr include:secureserver.net -all

 

I removed the hard coded IP address and added the ptr lookup. I added the PTR because I had server reboot issues that were defaulting my email headers back to the default hostname. I think PTR might help with that if the mistake happens again. My SPF record will fail the online lookup tests with a greater than 10 lookups warning. Gmail doesn't care and shows a "pass" next to SPF check. I have received postmaster notices from spammer/hacker failures which is reassuring.

 

I also have a DMARC entry in my DNS zone tied to a postmaster alias/forwarder email address. Some mail servers will notify you, others wont, when there is an SPF failure. Here's an example but don't forget to replace the yourdomain.tld and add that postmaster forwarder.

 

_dmarc  14400 IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.tld"

.....................................................................................
Domainer, Web Developer, JohnNapoletano.com
Moderator
Moderator

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hey @JohnN,

 

To be honest, I'm probably not the best opinion regarding hardfail vs softfail as I've never had to use an SPF for any of my domains personally. The value I previously recommended was a suggested value that we provide in our own support documentation on the Help Center. However, this would probably make for an interesting topic of discussion with other members who may have experience using both. Perhaps something to consider as I'd be curious to see some more opinions myself.

 

Back to the original matter at hand, glad to hear you've made some progress on your own. Perhaps the values you ended up with will help out others who might be having trouble setting up an SPF within their own cPanel mail accounts. Hopefully some members who try your suggestions will let us know how well it works for them? 

 

CG - GoDaddy | Community Moderator
24/7 support available at x.co/247support

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I'm experiencing the same problem that @WesternGuy was.

Maybe I can explain it a little better.

 

We are using the recommended setup:

v=spf1 mx include:secureserver.net -all

 

The problem with it is this:

An SPF can only have a maximum 10 lookups

"include", "mx", "a", "ptr", and "exists" all count towards the 10 lookups
Any nested lookups in your includes also count towards the limit of 10

 

It's that second part that is causing the problem here.

I'll count the lookups out to show it:

My SPF Record (1) -> mx include:secureserver.net (3)

secureserver.net -> include:spf-ss1.domaincontrol.com (4)

spf-ss1.domaincontrol.com -> include:spf-ss2.domaincontrol.com include:spf.messaging.microsoft.com (6)

spf-ss2.domaincontrol.com -> include:spf-ss3.domaincontrol.com (7)

spf-ss3.domaincontrol.com -> a:spf-a-1.domaincontrol.com (8)

spf.messaging.microsoft.com -> include:spf.protection.outlook.com (9)

spf.protection.outlook.com ->include:spfa.protection.outlook.com (10)

spfa.protection.outlook.com -> include:spfb.protection.outlook.com (11)

 

Here's the problem this causes:

If a match is found in the first 10 lookups - no problem.

If the system has to do an 11th lookup - "soft fail" is returned

That "soft fail" actually is bad in 2 cases:

  1. If a match was in the 11th lookup or later, you're soft failing a message that shouldn't fail at all
  2. If there wasn't going to be a match in the 11th lookup or later, you're ignoring the "-all" and soft failing the message instead of hard failing it.

What we need from GoDaddy to fix the problem:

Remove lookups from your SPF records and replace them with "ip4" or "ip6" or remove the include:spf.messaging.microsoft.com

 

 

Thanks!

Moderator
Moderator

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Hey @mercraus,

 

First let me say welcome to the community! Smiley Happy

 

I had our email teams check and confirm our recommended SPF should only report 9. We even verified with a few test domains. 

 

You may want to make sure your not adding any extra records which is causing the additional lookups you've indicated. 

 

CG - GoDaddy | Community Moderator
24/7 support available at x.co/247support

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Can you show us the verbose output of the 9 entries and the tool used so we can compare please.

New

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

secureserver.net has many includes, that's why it is exceeding the DNS lookup limit:

 

1.  

; <<>> DiG 9.10.3 <<>> secureserver.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24232
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;secureserver.net. IN TXT

;; ANSWER SECTION:
secureserver.net. 3333 IN TXT "IPROTA_D17772-XXX.TXT"
secureserver.net. 3333 IN TXT "google-site-verification=j69AKsEjg61mFSXTyJPzvpL1eYRp60akMqRxa4XAuLM"
secureserver.net. 3333 IN TXT "MS=ms16109570"
secureserver.net. 3333 IN TXT "google-site-verification=GsYntSQyy_tSrRvMasP01vF3DBuaZMp1FHSkxva6E-I"
secureserver.net. 3333 IN TXT "v=spf1 ip4:207.200.21.144/28 ip4:12.151.77.31 ip4:69.64.33.132 ip4:68.233.77.16 ip4:184.168.131.0/24 ip4:173.201.192.0/24 ip4:182.50.132.0/24 ip4:170.146.0.0/16 ip4:174.128.1.0/24 ip4:173.201.193.0/24 include:spf-ss1.domaincontrol.com -all"

 

 

2.  

; <<>> DiG 9.10.3 <<>> spf-ss1.domaincontrol.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;spf-ss1.domaincontrol.com. IN TXT

;; ANSWER SECTION:
spf-ss1.domaincontrol.com. 104 IN TXT "v=spf1 ip4:174.128.7.0/24 ip4:206.252.132.65 ip4:24.75.14.201 ip4:144.202.243.25 ip4:68.232.128.0/19 ip4:216.55.155.13 ip4:216.55.162.41 ip4:195.246.112.0/24 include:spf-ss2.domaincontrol.com include:spf.messaging.microsoft.com -all"

 

3.

; <<>> DiG 9.10.3 <<>> spf-ss2.domaincontrol.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47074
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;spf-ss2.domaincontrol.com. IN TXT

;; ANSWER SECTION:
spf-ss2.domaincontrol.com. 256 IN TXT "v=spf1 ip4:216.69.160.6 ip4:66.246.252.57 ip4:216.242.235.41 ip4:207.71.241.81 ip4:4.79.224.144/29 ip4:68.178.252.0/24 ip4:208.109.0.0/16 ip4:64.202.160.0/19 ip4:68.178.232.0/24 ip4:72.167.0.0/16 ip4:66.98.158.77 include:spf-ss3.domaincontrol.com -all"

 

3a.

; <<>> DiG 9.10.3 <<>> spf.messaging.microsoft.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50622
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;spf.messaging.microsoft.com. IN TXT

;; ANSWER SECTION:
spf.messaging.microsoft.com. 2435 IN TXT "v=spf1 include:spf.protection.outlook.com -all"

 

4.

; <<>> DiG 9.10.3 <<>> spf-ss3.domaincontrol.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6374
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;spf-ss3.domaincontrol.com. IN TXT

;; ANSWER SECTION:
spf-ss3.domaincontrol.com. 600 IN TXT "v=spf1 ip4:188.121.32.0/19 ip4:97.74.135.0/24 ip4:182.50.144.0/24 ip4:68.178.213.0/24 ip4:198.71.224.0/24 ip4:198.71.225.0/24 ip4:198.71.244.0/25 ip4:198.71.245.0/25 ip4:198.71.246.0/25 ip4:198.71.247.0/25 a:spf-a-1.domaincontrol.com -all"

 

 

I had to use "spf-ss2.domaincontrol.com", if the only include in your spf record is "secureserver.net" then that's fine but if you're including things like O365, CRM tools, etc; then secureserver.net has too many includes.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

We've just bumped into the exact same problem.  We're sending email (via outlook) to one of our customers and they are rejecting due to exceeding DNS lookups on SPF.

 

I totally concur with anon1 with the lookup analysis.  You're using 9 of the allowed 10 lookups

 

If you are also sending mail through sendgrid, mailgun, etc, then you're completely over the limit.

 

Clearly, someone thought it was clever to nest the includes (and carefully made sure not to use up all 10 lookups).  Why not nest to two or three lookups? 

 

OK, so given that adding GoDaddy SPF is no longer feasible, how does that affect email deliverabilty? We have to include sendgrid, or mailgun, perhaps a couple of custom servers but if we omit secureserver.net, then we can't use "-all".  We have to use "~all".  Doesn't that then open us to abuses from spammers because they can spoof emails from our domains?

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Godaddy, what is the solution here?

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I was assisting someone with a GoDaddy domain who was running into this issue.  While examining the DNS records for secureserver.net, I found that the MX record for secureserver.net is pointing to Office 365.  My nslookup is below:

H:\>nslookup -type=mx secureserver.net 8.8.8.8

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

secureserver.net        MX preference = 0, mail exchanger = secureserver-net.mail.protection.outlook.com

 

Based on this, I would presume that secureserver.net was migrated to Office 365 at some point.  If that's the case, then the only SPF records that should exist for secureserver.net are the ones required for Office 365:

https://support.office.com/en-us/article/External-Domain-Name-System-records-for-Office-365-c0531a6f...

 

Since secureserver.net is already authorized with Office 365 (via the MS txt record MS=ms16109570), then a workaround for this issue should be to just use the Office 365 SPF record:

v=spf1 include:spf.protection.outlook.com -all

 

We just implemented the workaround, and are waiting for the revised record to replicate across the Internet, but it should work.

 

As an aside: One of the nested DNS records, spf-a-1.domaincontrol.com, is actually not resolvable, which I'm sure isn't helping either:

 

secureserver.net => spf-ss1.domaincontrol.com => spf-ss2.domaincontrol.com => spf-ss3.domaincontrol.com => spf-a-1.domaincontrol.com

 

 

And, if GoDaddy is watching this thread, perhaps they can confirm that domaincontrol.com is not used for their mail system (as its MX records are pointing to secureserver.net), and therefore these recursive spf-ss#.domaincontrol.com are recursive and are just magnifying the problem.

Employee
Employee

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?


The recommended SPF record for our Workspace, GEM, and Hosting customers is:

 

v=spf1 include:secureserver.net –all

 

This record encompasses all of the outbound MTAs that our customer's mail could go out of from our environments. The -all signifies that mail coming from outside of the ranges included in the record should be rejected.

 

secureserver.net currently uses 8 DNS queries, add that to the one for the customer's domain, and it brings the total to 9, leaving one to spare.

 

This record works for the vast majority of our customers, who use our suite of email products.

A possible issue could arise if a customer uses our products, but also requires including third party ESPs in their SPF. If the additional senders require more than one lookup, it could bring the total lookups above the max of 10. This is less than ideal for some of our customers, and I will consult with the DNS folks to see if there is any way we can flatten the secureserver.net record any more.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

@M_H Thanks for looking into it.  There's two I can see right off the bat: The secureserver.net SPF record includes 173.201.192.0/24 and 173.201.193.0/24.  This can be consolidated to 173.201.192.0/23 The spf-ss3.domaincontrol.com SPF record includes 198.71.224.0/24 and 198.71.225.0/24.  This can also be consolidated to 198.71.224.0/23 The spf-ss3.domaincontrol.com SPF record also includes 198.71.244.0/25, 198.71.245.0/25, 198.71.246.0/25, and 198.71.247.0/25.  If GoDaddy owns the other half of those ranges, this can be consolidated to 198.71.244.0/22 The spf-ss1.domaincontrol.com record includes spf.messaging.microsoft.com.  This is a legacy record from the old Forefront Online Protection hosted system, and only serves as a pointer to Microsoft's current record, spf.protection.outlook.com.  The number of recursive queries can be reduced by replacing the legacy record with the current one: https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx Some long term ideas would involve some infrastructure work.  If the IP range of the servers were consolidated into their own subnet, fewer includes would be needed in the SPF record, as the include would encompass more addresses. The other would be to separate the mail systems used by Workspace, GEM, and Hosting customers so that they each have their own mail domain, with their own SPF records, thereby reducing the recursive queries. Thanks again for looking into it.
Helper I

SPF Records, Gmail, and GoDaddy VPS sent email

We have a client who uses gmail for their business email, and a GoDaddy VPS for their website hosting. That VPS also sends email on behalf of their business (order receipts, tracking numbers, etc).

Because GoDaddy forces the VPS to relay through *.secureserver.net, that needs to be part of the SPF record for the domain. Google needs to be in there as well, however.

The correct SPF record for Gmail is:
v=spf1 include:_spf.google.com ~all

The correct SPF record for GoDaddy's relay farm is:
v=spf1 include:secureserver.net ~all

The correct SPF record for both *should* be:
v=spf1 include:_spf.google.com include:secureserver.net ~all

...but due to the way *.secureserver.net DNS is set up, that results in too many DNS lookups, and a voided SPF record (permfail)

What is the correct SPF record for sending mail on behalf of a domain for both from Gmail and from a GoDaddy VPS account?

If there is no such valid record, what can be done to work around this?

Helper I

Re: SPF Records, Gmail, and GoDaddy VPS sent email

A quick test has shown that even the correct (?) SPF record for just secureserver.net still permfails with too many DNS lookups.

Helper I

Re: SPF Records, Gmail, and GoDaddy VPS sent email

GoDaddy chat support gave us the following:

v=spf1 a mx ptr a:dedrelay.secureserver.net include:secureserver.net ~all

but that too results in too many lookups.. and that's before adding in gmail

Resolver I

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I have a dedicated server with GoDaddy, Please make a dedicated server specific SPF entry recommendation for me. Since commenting months ago I've learned that the IP4 mechanism does not count as a lookup, and the A, MX, and PTR entries I was using are redundant if I have the IP4 address listed. So does this make sense for a dedicated server with Local Mail Exchanger set in WHM?  

 

v=spf1 ip4:123.123.123.123 include:secureserver.net –all

 

IP4 address is the main IP for the server, which shows as the originating IP when I view the Gmail receiving headers as a test.

 

Second example has two IP4 addresses, still no additional DNS lookups.

 

v=spf1 ip4:123.123.123.123 ip4:456.456.456.456 include:secureserver.net –all

 

 

The second IP address could be an IP address assigned to a specific website, a dedicated IP address, or a dedicated IP address in someone's home office given to them by Verizon for example. I say this because many people use Outlook to remote connect to their server/website to read and send mail. The remote IP address shows up in the email headers when viewed in Gmail.

 

In other words, do Gmail, Hotmail, etc also evaluate the originating IP address and not just the secureserver.net IP list? Godaddy dedicated server specific. I know others use different setups.

 

Thanks for your time.

.....................................................................................
Domainer, Web Developer, JohnNapoletano.com
Resolver I

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

The below settings have been working well on a Godaddy dedicated server with Local Mail Exchanger set in WHM. You will need 3 TXT DNS entries. One for the domain name, second for the host name, third for the dmarc entry.

 

yourdomain.com. 14400 IN TXT "v=spf1 ip4:111.111.111.111 include:secureserver.net -all"

 

hostname 14400 IN TXT "v=spf1 ip4:111.111.111.111 include:secureserver.net -all"

 

_dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com"

 

Enter all three TXT records on the same DNS zone for yourdomain.com and watch out for those periods. Hostname in the above example is whatever hostname you setup for the server, which should already have an A record in your DNS zone file. If you don't add the host TXT record and your server sends email from host.yourdomain.com then Google will fail it. IP4 address should also have an existing DNS record to match.

 

The dmarc TXT entry tells the mail servers to send you an xml file each day they have activity from your server. You can do this to test, then once your are confident change the dmarc entry parameters to stop receiving the emails. This is how I know it works, because I get SPF pass/fail notices from Google, yahoo, etc.

 

Don't forget to create the email account or alias "postmaster" or else you will get no mail. 

 

Goodluck!

.....................................................................................
Domainer, Web Developer, JohnNapoletano.com

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

try this is passes for me with a vps

v=spf1 mx a a:dedrelay.secureserver.net -all

 

http://www.kitterman.com/recordcheck.py

Input accepted, querying now...
evaluating v=spf1 mx a a:dedrelay.secureserver.net -all ...
SPF record passed validation test with pySPF (Python SPF library)!

 

 

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I just called in with this issue.  This is giving us email delivery problems.  We have a support system that we need to add to our SPF record (Zendesk), a 3rd bulk email service (Postmark), and ... Godaddy.

 

Would configuring our own name servers in WHM overcome this limitation?  We have a VPS hosting account with Godaddy, but we are not using our own name servers for DNS management.  Godaddy still manages our email with their name servers through the Godaddy Domain Manager > DNS Management portal.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

I got Wayde from Goddady hosting support on the phone, and he was beyond helpful.  Yes, we could completely eliminate the secureserver.net inclusion if we took over management of our email server / DNS Zone settings by changing the name servers to point to our VPS account (or a dedicated host account).

 

This is also a potential solution for any others.  Manage your own email server (whether or not that server is hosted by Godaddy).

 

But, he also confirmed that (in almost every case) receiving email servers will look up records in the order in which they are presented in the SPF file.  So, just be sure to have secureserver.net as the LAST inclusion in the SPF record.  For us, the most important emails are not sent out from our outlook accounts, but through PostMark and Zendesk.

 

So I think for us, a small % chance that some mid to low importance emails will occasionally soft fail SPF and slightly affect delivery probability, is better than managing our own email server.  Your mileage may vary.

Wayde also said that secureserver.net was set in stone at 9 DNS lookups.

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Well, now I have conflicting information from Postmark, who says that if you have more than 10 DNS lookups in a DNS record, it will fail every time regardless of order.  So now I don't know what to believe.

 

But based on continued tests from mail-tester.com, I'm inclined to believe Postmark.

 

So we are back to square 1...

Employee
Employee

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

Just to let you know, today a change went out for the secureserver.net SPF record, that greatly reduces the number of DNS lookups. It now requires 4 DNS lookups, plus your domain, which should leave 5 queries available to add third party includes, if necessary. 

Re: What are the correct GoDaddy SPF Settings For DNS to send mail?

1. secureserver.net

2. spf1.secureserver.net

3. spf.protection.outlook.com

4. spfa.protection.outlook.com

5. spfb.protection.outlook.com

 

So, 5 + your own domain, not 4+1, but still, thanks for the progress.