We have a situation where a vendor needs to send emails on our behalf. This is a common thing on our network. In the past, I would just add their Server IP to our SPF record to allow them to send through our servers. In short, the emails they will send, needs to show that they came from us.
Anyways, this hasn't been an issue so far until today, where a vendor we are using actually uses Google Mail. If I would follow the same procedure as before, I would basically be adding spf.google.com to our SPF record which I assume would allow ANY google (including Gmail) to send on our behalf. That seems very risky. Am I being paranoid or simply confused? BTW, we use Office365 with Exchange Online. Thanks.
Well yes. But it's the same with any other bulk mailing solution out there, unless they give you a customer-specific range of IPs/hosts. In your scenario, might be a good idea to only allow them to use a subdomain, marketing.domain.com or similar.