SPF Policies should be included via reuse #100

New issue

Open

opened 2026-06-06 16:32:48 +02:00 by lilly · 0 comments

lilly commented

2026-06-06 16:32:48 +02:00

Owner

By now we are managing E-Mail for a bunch of domains. All these domains have their SPF policy in a form similar to below:

v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all

This does not scale very well for organizing changes and is a bit of a magic string that gets copy-pasted.
I propose migrating this to two sets of SPF policies.

The first policy is one that authorizes our mailservers. It is defined exactly once under something like spf-hosted-on.hamburg.ccc.de and contains the string shown above or something equivalent.
The other policy is the one used on each domain that needs to send mail. It should contain the string v=spf1 include:spf-hosted-on.hamburg.ccc.de -all.

This way we can make changes to our SPF policy easier in one central location and have it automatically propagate to all domains we host.

By now we are managing E-Mail for a bunch of domains. All these domains have their SPF policy in a form similar to below: ```spf v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all ``` This does not scale very well for organizing changes and is a bit of a magic string that gets copy-pasted. I propose migrating this to two sets of SPF policies. 1. The first policy is one that authorizes our mailservers. It is defined exactly once under something like `spf-hosted-on.hamburg.ccc.de` and contains the string shown above or something equivalent. 2. The other policy is the one used on each domain that needs to send mail. It should contain the string `v=spf1 include:spf-hosted-on.hamburg.ccc.de -all`. This way we can make changes to our SPF policy easier in one central location and have it automatically propagate to all domains we host.