Many administrators face issues when trying to authorize dynamic mail servers through SPF records. A common scenario occurs with Google's infrastructure:
v=spf1 include:google.com ~allThis often results in soft fails because Google uses dynamic subdomains like:
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172])SPF records technically don't support traditional wildcards (*.google.com) due to RFC 7208 specifications. However, Google provides special mechanisms to handle their dynamic infrastructure:
v=spf1 include:_spf.google.com ~allThe _spf.google.com record contains all authorized Google mail server IP ranges and is automatically updated by Google.
For major email providers:
- Google: Use
include:_spf.google.com - Microsoft 365: Use
include:spf.protection.outlook.com - Amazon SES: Use
include:amazonses.com
If you're managing your own infrastructure with dynamic subdomains, you have two options:
# Option 1: List all possible CIDR ranges
v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 ~all
# Option 2: Use a dedicated SPF include
v=spf1 include:spf.yourdomain.com ~allAlways verify your SPF records using tools like:
nslookup -type=txt yourdomain.com
dig txt yourdomain.com +shortFor comprehensive testing, use online SPF validators that simulate different mail server scenarios.
- Exceeding the 10 DNS lookup limit
- Using deprecated mechanisms like PTR records
- Mixing hard fails (~) with neutral (?))
Remember that SPF is just one component of email authentication. Always implement DKIM and DMARC for complete protection.
When implementing SPF records, many developers encounter this specific issue with Google's mail infrastructure:
v=spf1 include:google.com ~allYou expect this to cover all Google mail servers, but then find soft fails showing up in your email headers:
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172])Google's actual mail delivery infrastructure uses dynamically named servers that don't always resolve through the base domain's SPF record. The include:google.com mechanism only checks the SPF record published at google.com, which might not cover all their subdomains.
SPF records do not support wildcards in the traditional DNS sense. According to RFC 7208:
- Mechanisms like
a,mx,ptrcan use domain names but don't support wildcards - The
includemechanism requires exact domain matches - Subdomains must be explicitly included in the parent's SPF record
For Google Workspace (formerly G Suite), the proper approach is:
v=spf1 include:_spf.google.com ~allThis special subdomain contains Google's comprehensive SPF record that covers all their mail servers.
The pattern applies to other major email providers. For example:
- Microsoft 365:
include:spf.protection.outlook.com - SendGrid:
include:sendgrid.net - Amazon SES:
include:amazonses.com
For organizations using multiple providers, here's a robust SPF record template:
v=spf1
include:_spf.google.com
include:spf.protection.outlook.com
include:servers.mcsv.net
ip4:192.0.2.0/24
-allAlways validate your SPF records using:
- MXToolbox SPF Checker
- Google Admin Toolbox
- Kitterman SPF Validator