I’m not sure this is the right forum for this question but I get good advice from this community so here goes.
I’m trying to set up a Google Apps for Business account for a client and they want to perform certain duties using the email management features on the Google side.
I THINK I know “technically” what the difference is between SPF records and MX records on their host’s account (Godaddy), but can someone correct me if I’m wrong?
My understanding is as follows:
SPF Record = a value on the host’s server (server1) that basically validates another email server (server2) to be able to send email as though it is coming from server1. So when some other server (server3) receives email from (server1) it can verify wtih (server2) that this is actually an authorized sending server and not flag the message as spam.
MX Record = values to tell the host what server (remote or local) to use to send emails.
Is this right?
Also, if it is…and any of you are familiar with the Google Apps for business…what’s the big difference if if just continue to use Godaddy’s mail servers and authorize Google’s mail servers using SPF Record…vs changing the MX records to Google’s servers on Godaddy?
Yep, that’s pretty much correct for the DNS information. Just to clarify:
The MX record contains the DNS information for the mail server.
The SPF records (or TXT records) contain information on which hosts are allowed to send mail out from a domain. This is used by other mail servers and spam filters to verify that the mail being received from xyz.com domain is authorized to be sent out from xyz.com domain
As for which will act as the actual mail server, that depends on how you have things set up, and if you have to migrate mailboxes.
An SPF record is basically just a TXT DNS record. This TXT record just lists what servers (IP addresses) are suppose to be capable of sending legitimate mail for your domain name.
So, for example, say you have the domain name example.tld and in the DNS entry for example.tld you list the IP address of 192.168.0.1 as being the only IP address that should ever legitimately send out mail from example.tld.
Now when you send out an email, through 192.168.0.1, to someone with an @gmail.com email address, the Google servers will receive the mail, see that it came from 192.168.0.1, check the SPF record for example.tld and see that 192.168.0.1 is in fact a legitimate sending source. Google’s servers will likely let this message through (although other spam factors will also come into play).
But if someone else tries to spoof your example.tld domain name, and they try to send out mail from another source, say 10.0.0.1. When Google’s mail servers receive this message, they will see it came from 10.0.0.1, they will check the SPF record for example.tld, and they will find that 10.0.0.1 is NOT a legitimate mail sending source. Google will likely flag this message as spam.
SPF depends on a lot of factors. A lot depends on the modifiers that you use for your SPF record. For more information this, see:
In my opinion, the only two modifiers that you should have are Pass (+) and Fail (-). As an administrator of the server and the domain name, you should know exactly what IP addresses are going to be sending out legitimate mail from your domain name. If you don’t know this, then you may need to take another look at your mail sending policies. Once you know exactly what IP addresses are going to be sending out legitimate mail from your domain name, then no other IP addresses should be authorized to send out mail, thus the -all modifier should be used. This would in essence, tell receiving mail servers that if the message from example.tld was not sent from one of the listed IP addresses in the SPF record, then it should be rejected as spam because it wasn’t authorized.
Force Flow and sparek…my sincere thanks for your quick and informative responses.
I feel a lot more comfortable proceeding now.