How to Configure SPF Records for Multiple Domains on a Single Server (Including Gmail as Valid Sender)


2 views

When managing email authentication across multiple domains hosted on a single server (a.x.com), SPF configuration requires careful planning. The core challenge is creating a maintainable setup that:

  • Authorizes your primary mail server
  • Includes third-party senders like Gmail
  • Minimizes DNS lookups (SPF's 10-lookup limit)

For your primary domain x.com, use this comprehensive SPF record:

v=spf1 ip4:192.0.2.1 (your server IP) 
     include:_spf.google.com 
     include:mailers.x.com 
     -all

For subdomains and secondary domains, implement this lean version:

v=spf1 include:x.com -all

Primary domain (x.com) DNS record:

x.com. IN TXT "v=spf1 ip4:192.0.2.1 include:_spf.google.com include:mailers.x.com -all"

Subdomain (b.x.com) DNS record:

b.x.com. IN TXT "v=spf1 include:x.com -all"

External domain (c.info) DNS record:

c.info. IN TXT "v=spf1 include:x.com -all"

DNS Lookup Optimization: The nested include structure helps stay under SPF's 10-DNS-lookup limit. Each include typically consumes 1-2 lookups.

Gmail Integration: The _spf.google.com include covers all Google Workspace mail servers. For specific Gmail addresses, you might need additional DMARC configuration.

Error Handling: Always test with tools like:

  • MXToolbox SPF Checker
  • Google Admin Toolbox
  • Kitterman SPF Validator

1. Centralized Management: Keep all IP changes in your primary x.com SPF record

2. Version Control: Document changes with timestamps in DNS comments

3. Monitoring: Set up alerts for SPF authentication failures

When hosting multiple domains and subdomains on a single mail server (e.g., a.x.com), we need an SPF configuration that:

  • Authorizes the primary server IP for all hosted domains
  • Allows Gmail's mail servers as valid senders
  • Maintains DNS efficiency through proper record referencing

For your primary domain (x.com), create this TXT record:

v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com ~all

Replace YOUR_SERVER_IP with your server's actual IP address. The ~all (soft fail) is recommended during initial testing before moving to -all (hard fail).

For each additional domain (e.g., a.co.uk, b.net), create a simple SPF record that references your master configuration:

v=spf1 include:x.com -all

This approach provides several advantages:

  • Centralized SPF policy management
  • Single point for IP updates
  • Consistent authorization rules across all domains

For subdomains under x.com, you have two options:

Option 1: Inherit parent domain policy (recommended)
*.x.com. IN TXT "v=spf1 include:x.com -all"

Option 2: Explicit record for each subdomain
b.x.com. IN TXT "v=spf1 include:x.com -all"

After implementation, verify with these commands:

dig +short TXT x.com
dig +short TXT a.co.uk
nslookup -type=TXT b.x.com

Use online SPF validators to check your configuration against test emails from both your server and Gmail.

For large-scale implementations, consider these optimizations:

; For domains with frequent changes
v=spf1 redirect=x.com

; When using multiple email providers
v=spf1 include:x.com include:mailprovider2.com -all

Remember that SPF has a 10-lookup limit for includes/redirects. Keep your chain of references simple.