EDIT – Update January 3, 2013: There was a bug in my previous SPF record below, that included “ip4:184.108.40.206/1”. That should have read “ip4:220.127.116.11/11”. Unfortunately the initial incorrect record allowed half the Internet to pass SPF tests, so it would be better to use the corrected version or edit this list to suit your tastes. The SPF record below has been corrected to reflect this change.
If you use Payflow Link and you’ve recently implemented an SPF record with a hard-fail (“-all”), you and your customers may periodically stop receiving transaction confirmation messages from Paypal’s servers.
Your mail logs will hopefully show an error like:
2011-10-22 17:09:12 H=mx0.phx.paypal.com [18.104.22.168] F=<REDACTED EMAIL> rejected RCPT <REDACTED EMAIL>: SPF: 22.214.171.124 is not allowed to send mail from REDACTED DOMAIN
So the question is, what IP address or block should you add to your SPF record to allow PayPal’s servers to send mail on your behalf? PayPal has a range of IP addresses of course; their transaction servers are different from the email servers (apparently).
The correct answer is here, in PayPal’s list of “IP Addresses for PayPal servers”:
Since there are so many IP ranges here, my SPF record was getting too long. So I used the include: directive and created an SPF record for a subdomain (spf-paypal.MYDOMAIN.com):
“v=spf1 ip4:126.96.36.199/20 ip4:188.8.131.52/20 ip4:184.108.40.206/19 ip4:220.127.116.11/20 ip4:18.104.22.168/15 ip4:22.214.171.124/24 ip4:126.96.36.199/11 -all”
And then in my main domain SPF record, I added “include: spf-paypal.MYDOMAIN.com”. This allows me to easily make edits to the PayPal portion of the SPF record and keeps it separate from my main SPF record. PayPal makes IP address changes on average perhaps twice a year, so if you use PayFlow to send transaction receipts to your customers on your behalf and you maintain SPF records for your domain, this is something you will encounter.
At the bottom of PayPal’s post, there is an option to subscribe to the answer so you can be alerted when it changes. Unfortunately they do not show a changelog; they just update the answer, so every time they change it you have to go through and compare every IP range with your SPF record, but at least you can be alerted when there is a change.
Previously, I had looked back through some transactions and (since a recent IP address update) all of them seem to be from 66.211.x.x, so my ham-fisted approach was to add:
to my SPF record, to allow 188.8.131.52 – 184.108.40.206.