Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   SPF Record questions (http://www.linux-archive.org/centos/634736-spf-record-questions.html)

Jonathan Vomacka 02-18-2012 04:33 PM

SPF Record questions
 
On 2/18/2012 12:05 PM, Reindl Harald wrote:
>
>
> Am 18.02.2012 17:53, schrieb Jonathan Vomacka:
>> I am inquiring about how to setup a proper SPF record. I know there are
>> SPF wizards/generators available but each seem to have a different
>> "opinion" of what should be included and what should not be included.
>>
>> Let me give you a scenario of my setup, and hopefully someone can help
>> me out.
>>
>> My domain is: test.com
>> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
>> record
>> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
>> to mail.host.com
>>
>> This is a STANDALONE mail server which will receive and send email
>> without any VIP's or load balancing. There is however one additional
>> host that will send out mail from the domain but it wont be receiving
>> mail, it will only be used as an SMTP (outbound only) server attached to
>> a website automailer which is on a seperate webserver... It only
>> generates error reports and sends them out... so technically it isn't a
>> full mail server but it will be sending (outbound only) mail on behalf
>> of the domain.
>>
>> The additional host is: mail2.test.com which resolves to 50.2.2.2 and
>> there is a Matching PTR.
>>
>> These are the ONLY mail servers and IP addresses that will be sending
>> out mail from the test.com domain. Some websites say I should use -all
>> and others say -all will cause some MTA's to reject and ~all is better
>> to use even if those are the only two hosts sending out mail.
>>
>> Would you be able to assist with a solid SPF record?
>
>>> -all will cause some MTA's to reject
>
> then they are badly broken
>
>>> ~all is better to use
>
> this means SPF is in testing mode and not enforced
> some servers may use them for scoring but they will
> never be used for blocking spoofed messages from
> wrong sender-addresses
> _____________________
>
> however, below are SPF-compliant records working since
> years for some hundret domains, maybe your BIND-version
> does not support record-type "SPF" (Recent Fedora does)
>
> RFC says a SPF-compliant domain should use both
>
> and yes i prefer ip4 instead A/MX because this is enforcing
> a lower count of dns requests at all and our internal dns
> baclend is able to translate configured hostnames to IP
> while generating the zone-files from the database
> _____________________
>
> @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
> @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>
> subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
> subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>
>
>

Reindl,

What about if someone uses a mobile device to send e-mail? Would ~all be
better? I also generated the following SPF using a wizard. Let me know
if this looks correct:

teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com
a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"

I wouldn't need an "include:" or "ptr" statement in this right? I would
told "include:" was to include OTHER domains that are allowed to send
e-mail, but then again I see some people writing the domain again as an
include. Also is PTR good to use or not?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jonathan Vomacka 02-18-2012 05:16 PM

SPF Record questions
 
On 2/18/2012 12:53 PM, Reindl Harald wrote:
>
>
> Am 18.02.2012 18:33, schrieb Jonathan Vomacka:
>>>>> -all will cause some MTA's to reject
>>>
>>> then they are badly broken
>>>
>>>>> ~all is better to use
>>>
>>> this means SPF is in testing mode and not enforced
>>> some servers may use them for scoring but they will
>>> never be used for blocking spoofed messages from
>>> wrong sender-addresses
>>> _____________________
>>>
>>> however, below are SPF-compliant records working since
>>> years for some hundret domains, maybe your BIND-version
>>> does not support record-type "SPF" (Recent Fedora does)
>>>
>>> RFC says a SPF-compliant domain should use both
>>>
>>> and yes i prefer ip4 instead A/MX because this is enforcing
>>> a lower count of dns requests at all and our internal dns
>>> baclend is able to translate configured hostnames to IP
>>> while generating the zone-files from the database
>>> _____________________
>>>
>>> @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>> @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>>
>>> subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>> subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>>
>>
>> Reindl,
>>
>> What about if someone uses a mobile device to send e-mail?
>
> what is the difference between a mobile device and a customer
> at home on his workstation? there is no one! bot have to use
> the SMTP for their account
>
>> Would ~all be better?
>
> it is making less trouble for people using their ISP-MTA
> but this people are acting wrong and if you want to enforce
> SPF they must not do this, if you want life easy for people
> who acting wrong you CAN NOT enforce SPF at all
>
>> I also generated the following SPF
>> using a wizard. Let me know if this looks correct:
>>
>> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80
>> ip4:216.250.250.148 ~all"
>
> looks OK, without enforcing
>
> i made the expierience in the last years that A/MX in SPF makes
> often troubles since there are more dns-requestes need on the
> receiver and this is raised up with every entry of these types
> in your SPF - ip4 does not need additional requests
>
> they often produced false positives, never seen again since changed to ip4
>
>> I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER
>> domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include.
>> Also is PTR good to use or not?
>
> no idea
>
> i am using strictly ip4-entries and do not mixing domains
> all users are instructed to use "mail.ourdomain.tld" and
> there are not existing dns-records in customer domains as
> also all MX-records of them are poining FQ to our spam-firewall
>

Reindl,

I am sorry to ask this, but is it possible you can modify my PTR record
that I submitted above with how you would enter it into BIND? I want to
make sure I accurately enter this.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jay Leafey 02-18-2012 08:07 PM

SPF Record questions
 
On 02/18/2012 12:16 PM, Jonathan Vomacka wrote:



On 2/18/2012 12:53 PM, Reindl Harald wrote:


A great resource is www.openspf.net. It has a lot of information on
formatting SPF records and a tool that will help you test your rules.


Hope that helps!
--
Jay Leafey - jay.leafey@mindless.com
Memphis, TN

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 12:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.