I am inquiring about how to setup a proper SPF record. I know there are SPF wizards/generators available but each seem to have a different "opinion" of what should be included and what should not be included. Let me give you a scenario of my setup, and hopefully someone can help me out. My domain is: test.com My mailserver hostname is: mail.host.com which also has a MATCHING PTR record mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves to mail.host.com This is a STANDALONE mail server which will receive and send email without any VIP's or load balancing. There is however one additional host that will send out mail from the domain but it wont be receiving mail, it will only be used as an SMTP (outbound only) server attached to a website automailer which is on a seperate webserver... It only generates error reports and sends them out... so technically it isn't a full mail server but it will be sending (outbound only) mail on behalf of the domain. The additional host is: mail2.test.com which resolves to 50.2.2.2 and there is a Matching PTR. These are the ONLY mail servers and IP addresses that will be sending out mail from the test.com domain. Some websites say I should use -all and others say -all will cause some MTA's to reject and ~all is better to use even if those are the only two hosts sending out mail. Would you be able to assist with a solid SPF record?
On 2/18/2012 12:05 PM, Reindl Harald wrote:> > > Am 18.02.2012 17:53, schrieb Jonathan Vomacka: >> I am inquiring about how to setup a proper SPF record. I know there are >> SPF wizards/generators available but each seem to have a different >> "opinion" of what should be included and what should not be included. >> >> Let me give you a scenario of my setup, and hopefully someone can help >> me out. >> >> My domain is: test.com >> My mailserver hostname is: mail.host.com which also has a MATCHING PTR >> record >> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves >> to mail.host.com >> >> This is a STANDALONE mail server which will receive and send email >> without any VIP's or load balancing. There is however one additional >> host that will send out mail from the domain but it wont be receiving >> mail, it will only be used as an SMTP (outbound only) server attached to >> a website automailer which is on a seperate webserver... It only >> generates error reports and sends them out... so technically it isn't a >> full mail server but it will be sending (outbound only) mail on behalf >> of the domain. >> >> The additional host is: mail2.test.com which resolves to 50.2.2.2 and >> there is a Matching PTR. >> >> These are the ONLY mail servers and IP addresses that will be sending >> out mail from the test.com domain. Some websites say I should use -all >> and others say -all will cause some MTA's to reject and ~all is better >> to use even if those are the only two hosts sending out mail. >> >> Would you be able to assist with a solid SPF record? > >>> -all will cause some MTA's to reject > > then they are badly broken > >>> ~all is better to use > > this means SPF is in testing mode and not enforced > some servers may use them for scoring but they will > never be used for blocking spoofed messages from > wrong sender-addresses > _____________________ > > however, below are SPF-compliant records working since > years for some hundret domains, maybe your BIND-version > does not support record-type "SPF" (Recent Fedora does) > > RFC says a SPF-compliant domain should use both > > and yes i prefer ip4 instead A/MX because this is enforcing > a lower count of dns requests at all and our internal dns > baclend is able to translate configured hostnames to IP > while generating the zone-files from the database > _____________________ > > @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > > subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > > >Reindl, What about if someone uses a mobile device to send e-mail? Would ~all be better? I also generated the following SPF using a wizard. Let me know if this looks correct: teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all" I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. Also is PTR good to use or not?
On 2/18/2012 12:53 PM, Reindl Harald wrote:> > > Am 18.02.2012 18:33, schrieb Jonathan Vomacka: >>>>> -all will cause some MTA's to reject >>> >>> then they are badly broken >>> >>>>> ~all is better to use >>> >>> this means SPF is in testing mode and not enforced >>> some servers may use them for scoring but they will >>> never be used for blocking spoofed messages from >>> wrong sender-addresses >>> _____________________ >>> >>> however, below are SPF-compliant records working since >>> years for some hundret domains, maybe your BIND-version >>> does not support record-type "SPF" (Recent Fedora does) >>> >>> RFC says a SPF-compliant domain should use both >>> >>> and yes i prefer ip4 instead A/MX because this is enforcing >>> a lower count of dns requests at all and our internal dns >>> baclend is able to translate configured hostnames to IP >>> while generating the zone-files from the database >>> _____________________ >>> >>> @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> >>> subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> >> >> Reindl, >> >> What about if someone uses a mobile device to send e-mail? > > what is the difference between a mobile device and a customer > at home on his workstation? there is no one! bot have to use > the SMTP for their account > >> Would ~all be better? > > it is making less trouble for people using their ISP-MTA > but this people are acting wrong and if you want to enforce > SPF they must not do this, if you want life easy for people > who acting wrong you CAN NOT enforce SPF at all > >> I also generated the following SPF >> using a wizard. Let me know if this looks correct: >> >> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 >> ip4:216.250.250.148 ~all" > > looks OK, without enforcing > > i made the expierience in the last years that A/MX in SPF makes > often troubles since there are more dns-requestes need on the > receiver and this is raised up with every entry of these types > in your SPF - ip4 does not need additional requests > > they often produced false positives, never seen again since changed to ip4 > >> I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER >> domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. >> Also is PTR good to use or not? > > no idea > > i am using strictly ip4-entries and do not mixing domains > all users are instructed to use "mail.ourdomain.tld" and > there are not existing dns-records in customer domains as > also all MX-records of them are poining FQ to our spam-firewall >Reindl, I am sorry to ask this, but is it possible you can modify my PTR record that I submitted above with how you would enter it into BIND? I want to make sure I accurately enter this.