SPF with google site verification

Ahh, the joys of computing. My plan for a 30 minute task dissolves once more into 3 hours of head scratching. As always, the solution was ridiculously easy.

The aim: To add Spam Protection Filter/Sender Policy Framework to our DNS.

The problem: Having more than one TXT entry wasn’t possible with my DNS provider (and if it was, it would have created an error)

The solution: Put all the TXT strings in the same TXT entry field, ensuring a space character is present WITHIN the strings if multiple strings are to be concatenated.

The TL;DR detail:
We use google apps, so google conveniently suggest the SPF code to use. At the time of writing, that’s:

To create an SPF record for a domain:

Log in to the administrative console for your domain.
Locate the page from which you can update the DNS records.
You may need to enable advanced settings.
Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all

Publishing an SPF record that uses -all instead of ~all may result in delivery problems. See Google IP address ranges for details about the addresses for the Google Apps mail servers.
If your registrar also requires a host setting (such as @), see the TXT records for specific domain providers list for precise instructions.
Save your changes.
Keep in mind that changes to DNS records may take up to 48 hours to propagate throughout the Internet.
If you have difficulty creating an SPF record, contact your domain provider for assistance.

Which sounded so easy, except adding that to my DNS hosted with gandi failed with an error about a duplicate line.

The duplicate was a google site verification entry also using the txt field. From reading about BIND, it appears TXT fields can be on multiple lines but will be consolidated later. I guess the Gandi interface want’s you to do the consolidation yourself.

So for me, the correct SPF and Google Site Verifcation code look like this:

@ 300 IN TXT "v=spf1 a include:_spf.google.com ~all " "google-site-verification=1-3-y-blah"

Notice: The two strings enclosed by speach marks. I could have done this as one long string but I think I’ll find adding any other TXT entries easier if I can see where each one starts and finishes. Actually, I’ve simplified my TXT entry for the blog, I also list a couple of server IP’s and eventually will need to add some IP6 addresses. The a in SPF records appears to only picks up the domains @ host, not every single host in a domain.
Notice: The extra space character within the SPF string – because …~all” “goog… gets concatenated to …~allgoog… with the missing space causing a PERMERROR for SPF validation and probably breaking the site verification too.
Notice: using 300 seconds for the life is fine for testing but probably wants increasing to a larger number once you know it’s working. I’m going for 43200 seconds which is 12 hours.

8 thoughts on “SPF with google site verification”

  1. Well observed.

    I added the SPF on my business domains, query: rkbb.co.uk instead to see to see my SPF in it’s current form.

    You’ll also notice that (at the time of writing at least) as well as the ‘a’ record being included, I have included 2 of our other web servers along with our office static IP address. I’m trying to send all the email through google now which would negate the need for a & IP4 settings, but occasionally I forget a device that will send directly.

    I just tried your spf/txt lookup but interestingly the google site verification string didn’t show. When I used dig to check it is there. So, I’m still wondering if the google system parses the long txt record correctly to pick up the site verification… it hasn’t complained of anything yet but that might come later.

    Here’s my dig output for the curious reader:
    1.9.3@global steve@Steve-Root-MBP:rkbbspree$dig txt rkbb.co.uk

    ; <<>> DiG 9.7.3-P3 <<>> txt rkbb.co.uk
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60823 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; QUESTION SECTION: ;rkbb.co.uk. IN TXT ;; ANSWER SECTION: rkbb.co.uk. 300 IN TXT "v=spf1 a ip4: ip4: ip4: include:_spf.google.com ~all " "google-site-verification=1-3-yPOxsebkKr4ea7iGRqvRdmBTPtABSAJ3N3N-RRk"

  2. I reached here via a google search, tried out the solution as I was also looking to add both google-site-verification TXT record as well as an SPF record – unfortunately it did not work.

    It generated an error: “PermError SPF Permanent Error: Use the ip4 mechanism for ip4 addresses: xx.xx.xx.xx”.

    The SPF record alone works okay, not just with the addition of TXT records.

    Ironic, the SPF specification page or other searches do not produce any working solutions either.

    Thanks for the article though.

    1. Can you share what you had in your DNS?
      My first instinct is the format/text of something is not quite right.
      “v=spf1 -all”
      instead of:
      “v=spf1 ip4: -all”
      (the ip4: is required)

  3. I have the same need to have both google-site-verification TXT record as well as an SPF record – unfortunately it did not work for me too.

    Untill now I don’t have an error sending mails, but when I make a lookup on mxtoolbox I have the following message:
    SPF record is invalid Details area

    I have the following TXT value:
    “v=spf1 a mx include:spf_13168.XXXXXXX.com.br ~all ” “google-site-verification=XXXXXXXXXXXXXXXXXXXXXXXXXXXX”

  4. Fixed my problem,
    I had to put in the DNS register (on Amazon) the following:
    “v=spf1 a mx include:spf_13168.XXXXXXX.com.br ~all ”
    “google-site-verification=XXXXXXXXXXXXXXXXXXXXXXXXXXXX ”

    Value, enter, value, so they were in diferent lines and it worked for me = )

  5. Extra space at the end of SPF string! Pure gold! I tried so many things to pass mail-tester.com with records set up in AWS Route53, and finally, the extra space made it work. Thank you.

Leave a Reply

Your email address will not be published.