What would be the correct SPF record to use for both Amazon SES and Google Apps together:

Google Apps says they want you to have the tilde "~" in it: http://support.google.com/a/bin/answer.py?hl=en&answer=178723, but most other examples have a dash "-" instead.

Amazon wants: "v=spf1 include:amazonses.com -all"

Google wants: "v=spf1 include:_spf.google.com ~all"

We currently have this, combining both together:

TXT "v=spf1 include:amazonses.com include:_spf.google.com ~all"

SPF "v=spf1 include:amazonses.com include:_spf.google.com ~all"

1) Is this the correct SPF record?

2) Are we missing anything, should this record be the exact same for both TXT & SPF DNS records? That is all we have, we don't have anything else.

We only send email from Google Apps and Amazon SES, nothing else.

1. Publish a TXT record:

   "v=spf1 include:_spf.google.com include:amazonses.com ~all"
   

   Amazon SES documentation says that no additional SPF configuration is required for a domain, but it turns out that adding include:amazonses.com to the record makes Sender ID pass as well. Even though Sender ID is considered obsolete, some receivers could implement it.

   If Amazon SES is configured to use a custom MAIL-FROM subdomain, publish another TXT record for the subdomain:

   "v=spf1 include:amazonses.com ~all"
   

   It's good to have a custom subdomain set up for better deliverability and customer experience. For example, the domain will be displayed in the mailed-by field in Gmail.

   You can use -all instead of ~all. In this case, emails sent from sources not covered in SPF record may be rejected by recipients.

2. According to Section 3.1 of RFC 7208:

   SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only.

   Thus, SPF record type is now obsolete.

3. Regarding your comment, here is one simple way to test whether SPF works:

   • Send emails to check-auth@verifier.port25.com from both Gmail and Amazon SES Test Email form.
   • Afterwards, search the automated reply for SPF check: pass.

The correct is to include each sender in the SPF, regarding the - or ~ it is the SPF properties

"-" = only the listed hosts are permitted

"~" = the listed hosts should send but might exist another sender.

If you are 100% sure that you have all the listed senders you can change the ~ for - BUT you should not maintain both.

TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"

www.openspf.org/SPF_Record_Syntax

After many months trying to create correct SPF record and prevent my emails from Amazon classified as SPAM I've found that SPF syntax validator is exist. Using a Validator and SPF Policy Tester I was able to create SPF record that suites my requirements.

Gmail:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.google.com +mx ?all

Yandex:

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 a:amazonses.com include:_spf.yandex.net +mx ?all