Is this just me being picky, or might arpnetworks.com benefit from an updated spf record? what's your complaint about the spf record? jdoe: It only refers to the mx record, which doesn't seem to be the smtp server being used to send mails. Doesn't affect auto-generated mails, as those seem to use @ice.arpnetworks.com in the SMTP-envelope, which doesn't have any spf record. Not that it is much of an issue for @arpnetworks.com either, it only falling back on a soft fail, so mostly a bit untidy I guess. toddf: Haven't gotten that deep into the rabbit hole yet. andol: heh andol: it hasn't been a big itch andol: ice uses mail2 as its mail relay, so it should appear that mail2 is the sender (even if originated at ice) up_the_irons: Agree it not being a big problem, but if you are not going to use spf in a useful maner, why even bother having the dns entry? Not that it is really a problem for me, mostly curious. andol: it was useful at the time when i set it up :) andol: to be honest, i thought it was still "working" andol: i'm open to suggestions on changes... spf record knowledge isn't a strong point of mine up_the_irons: Well, unless you want to pay a bit of attention of keeping it updated I would probably just have skipped using SPF completly. Otherwise my personal preferense is using SPF in a pure whitelisting sense, falling back on a neutral ?all. andol: i thought it _was_ updated; our mx _does_ send emails up_the_irons: Well, the e-mails I got from you didn't come from mail.mailroute.net anyway. although, now that i think about it, mailroute is the mx and mail2.arp can also send... i can't remember the good spf record generator i used once... (Never understood why people would use the ~all softfail for long term use. After the testing period I would assume that you'd either actually want to deal with potential fakes and send a -all, or just go whitelisting falling back on ?all.) probably b/c they don't fully understand ~all softfail (like me :) Could be :) Also, I guess most examples I've seen include the ~all. andol: i think you might prefer: "v=spf1 mx a:mail2.arpnetworks.com include:tenderapp.com ~all" i should test that for now... up_the_irons: Yepp, looks good :) Well, the tenderapp.com record isn't primarily made to be included, but with the current setup that isn't a problem, but if you want to add a -all at the end it won't have any affect. ...or might not The thing about includes aren't as much that they are included as that they are evaluated. andol: tender says to add "include:tenderapp.com" so i did :) right now, the record is: v=spf1 mx a:mail.arpnetworks.com a:mail2.arpnetworks.com include:tenderapp.com ~all so i'll leave it like that for a few days to test it out Well, turns out that I was in the wrong about the last part anyway. Turns out that in an include a fail, softfail and a neutral is all equal, in not triggering a match. ah (RFC 4408: chapter 5.2) be careful about includes. if a domain you include doesn't have an SPF record, your soft fail turns into a hard fail. jdoe: Isn't it more like causing a PermError? Not that that is any better. andol: it causes a perm error, which often causes things to reject (like gmail) so I'm using terminology a bit loosely :P Well, if nothing else tenderapp.com seems to be using a solid DNS hosting. jdoe: tenderapp is all about emails, pretty sure their SPF record will stay good.