I’d just like to comment on how SPF actually works, so that hopefully you can get a feel for what the records mean.
I’m going to use the openspf record to explain what the different parts mean.
SPF is used to tell a mail exchanger - that is the inbound server that handles your mail - what IP addresses your outbound mail servers sit on. It has a number of different mechanisms to do this, and each term is resolved in turn until you get to the final all term, which identifies what to do when the IP address doesn’t match any of the previous mechanisms.
I do see a number of SPF records in the wild that look like they may have been generated by an automated service such as openspf’s, and I wouldn’t decry using such services. Nonetheless understanding each term can be beneficial.
Each term in an SPF record has 4 possibilities
+ allow
- hard fail
~soft fail
? neutral
If there is no preceding term before an entry then allow is presumed.
So looking at the proposed record.
v=spf1 mx a:box.onevoix.com -all
v=spf1 is the spf version.
mx = use the MX record found in your domains DNS record
a:box.onevoix.com = use the A record (IPv4 address) for the DNS record box.onevoix.com
-all = reject all other IP addresses with a hard fail.
The inbound mail server will parse each entry and compare it. Lets use nslookup to demonstrate.
C:\Users\timdu>nslookup -type=mx onevoix.com
Server: cache1.service.virginmedia.net
Address: 194.168.4.100
Non-authoritative answer:
onevoix.com MX preference = 10, mail exchanger = box.onevoix.com
box.onevoix.com internet address = 172.104.117.8
So if the inbound IP address matches 172.104.117.8 then we get an SPF pass, and nothing more happens.
If it didn’t match we’d move on to the next term which is the A record for box.onevoix.com
C:\Users\timdu>nslookup -type=A box.onevoix.com
Server: cache1.service.virginmedia.net
Address: 194.168.4.100
Non-authoritative answer:
Name: box.onevoix.com
Address: 172.104.117.8
Again this resolves to 172.104.117.8 so in this case this is a redundant entry as id we get a pass on the first term, we’d not get here but if the IP didn’t match in the first case it wouldn’t match here either.
Finally if none of the previous terms match, we get the last entry
-all
Which in this case tells the inbound server to fail the mail.
In the original SPF specification there was no actual specification as to what the inbound server should do if the mail failed SPF checks.
Also note that SPF on it’s own does not survive a situation where someone has mail to their domain being forwarded to a third party’s servers, because the mail exchanger ONLY looks at the address of the server it is connected to.
Finally DMARC - which is used to set a policy for failed mails sent from your domain, also has a check to make sure that the domains used by DKIM and SPF match the From: address in the mail.
For example if the Envelope sender uses a domain example.com
and the From: address uses the domain other.com
The mail would fail because the domains are different.