SPF Record questions
On 2/18/2012 12:53 PM, Reindl Harald wrote:
> Am 18.02.2012 18:33, schrieb Jonathan Vomacka:
>>>>> -all will cause some MTA's to reject
>>> then they are badly broken
>>>>> ~all is better to use
>>> this means SPF is in testing mode and not enforced
>>> some servers may use them for scoring but they will
>>> never be used for blocking spoofed messages from
>>> wrong sender-addresses
>>> however, below are SPF-compliant records working since
>>> years for some hundret domains, maybe your BIND-version
>>> does not support record-type "SPF" (Recent Fedora does)
>>> RFC says a SPF-compliant domain should use both
>>> and yes i prefer ip4 instead A/MX because this is enforcing
>>> a lower count of dns requests at all and our internal dns
>>> baclend is able to translate configured hostnames to IP
>>> while generating the zone-files from the database
>>> @ IN TXT "v=spf1 ip4:188.8.131.52 ip4:184.108.40.206 -all"
>>> @ IN SPF "v=spf1 ip4:220.127.116.11 ip4:18.104.22.168 -all"
>>> subdomain1 IN TXT "v=spf1 ip4:22.214.171.124 ip4:126.96.36.199 -all"
>>> subdomain1 IN SPF "v=spf1 ip4:188.8.131.52 ip4:184.108.40.206 -all"
>> What about if someone uses a mobile device to send e-mail?
> what is the difference between a mobile device and a customer
> at home on his workstation? there is no one! bot have to use
> the SMTP for their account
>> Would ~all be better?
> it is making less trouble for people using their ISP-MTA
> but this people are acting wrong and if you want to enforce
> SPF they must not do this, if you want life easy for people
> who acting wrong you CAN NOT enforce SPF at all
>> I also generated the following SPF
>> using a wizard. Let me know if this looks correct:
>> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:220.127.116.11
>> ip4:18.104.22.168 ~all"
> looks OK, without enforcing
> i made the expierience in the last years that A/MX in SPF makes
> often troubles since there are more dns-requestes need on the
> receiver and this is raised up with every entry of these types
> in your SPF - ip4 does not need additional requests
> they often produced false positives, never seen again since changed to ip4
>> I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER
>> domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include.
>> Also is PTR good to use or not?
> no idea
> i am using strictly ip4-entries and do not mixing domains
> all users are instructed to use "mail.ourdomain.tld" and
> there are not existing dns-records in customer domains as
> also all MX-records of them are poining FQ to our spam-firewall
I am sorry to ask this, but is it possible you can modify my PTR record
that I submitted above with how you would enter it into BIND? I want to
make sure I accurately enter this.
CentOS mailing list