I have a forwarding domain (forwardingdomain.org > actual-website.org) for which I have email forwarders set up. To reduce spamming/spoofing of my email forwarders, I would like to set up a correct SPF TXT record in the domain’s DNS.
I have an SPF TXT record set up in the DNS, however, recently I’ve received scam/ransomware/spam emails that appear to be coming from email forwarders of the forwarding domain. So, that SPF record may not be working. I’ve successfully set up SPF TXT record for domains that have a website associated with them (i.e., I can use a server IP in the SPF record). For this domain, however, since it’s forwarding, it’s not clear what IP I should use.
Here’s the current SPF record (I don’t remember adding this myself; it may have gotten generated by itself):
Type: TXT
Host: @
Value: v=spf1 a mx include:sendgrid.net ~all
Expected result: No more scam/spam/ransomware emails should be coming in that appear as if they were sent from my email forwarders.
Actual result: Scam/spam/ransomware emails are coming in, appearing to be sent from my email forwarders.
Firstly I would recommend adding an
includemechanism to pull in IPs from your forwarding domain.Next, you have a
~alldefault mechanism, which means that forged messages will not be rejected, just marked as non-compliant (softfail). This is the correct setting if you are still testing your configuration or you are using DMARC.With DMARC, the softfail can be turned into a full rejection, and this is generally considered better than using
-allbecause it retains DMARC’s other semantics.