I have a hosted website that send email messages on behalf of our company from their local mail server. These messages are generated when customers fill out forms on the website and then they get a confirmation email showing sent from “ourdomain” even though it is really coming from “theirdomain”. Should I add “theirdomain.com” into my SPF record? Or would this just be opening up a hole for other spoofed email messages?
I want to make sure that email coming from this website server does not get blocked when I set the system to quarantine or deny.
Thanks in advance for your thoughts on this.