SPF records

558 views
Skip to first unread message

Tim Harper

unread,
Aug 4, 2016, 7:01:43 PM8/4/16
to techies-f...@googlegroups.com
Hi all,

as a part of the fight against spam PF records really are a good idea.

Many of you already use them I know but I am seeing instances where schools have a correctly configured SPF record but do not have listed in that record all the mail servers that they use with their domain.

Eg it is possible (probable!) that you run Kamar and that Kamar connects directly to the N4L mail relay.  If this is what you are doing then your SPF record should include the N4L relay server as a valid sender of email for your domain - this help email being sent by Kamar (or which ever other email server you are using) from being detected as spam.

As an example here is the SPF record that we use - it specifies the N4L servers and includes Google's servers:

v=spf1 a:relay.n4l.co.nz a:bulk-relay.n4l.co.nz include:_spf.google.com ~all

If you are using Office365 then the SPF record would look like:



regards,

Tim Harper


Phone 03 443 5167 (messages cannot be left on this number)
Mobile 027 443 1236

t...@mtaspiring.school.nz
www.mtaspiring.school.nz 

Tim Harper

unread,
Aug 4, 2016, 8:21:09 PM8/4/16
to techies-f...@googlegroups.com
Hi all,

N4L suggest using include: rather than a: in case the IPs ever change.

v=spf1 include:relay.n4l.co.nz include:bulk-relay.n4l.co.nz include:_spf.google.com ~all

N4L also suggest -all (hard fail) rather than ~all (soft-fail) 

I do notice that Google recommends ~all in their documentation at https://support.google.com/a/answer/178723?hl=en but Microsoft recommends -all at https://technet.microsoft.com/en-NZ/library/dn789058(v=exchg.150).aspx so I guess go with what ever your mail provider recommends.


regards,

Tim Harper


Phone 03 443 5167 (messages cannot be left on this number)
Mobile 027 443 1236

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

Pete Mundy

unread,
Aug 4, 2016, 8:55:14 PM8/4/16
to techies-f...@googlegroups.com
Dear list,

If you think that any of your staff may send mail using your domain but through other servers (eg home ISP's SMTP server) then I'd recommend you don't use hard fail. Save yourselves the grief and just stick with soft fail.

Furthermore... sorry to be a DNS pedant, but using include: rather than a: is poor advice. Firstly because using a: won't break if the IP address changes anyway (the cache is only as long as the DNS records TTL, after all these are names not IPv4s), but mostly because include: is for including another SPF record, and neither of the N4L names listed have an associated SPF resource record.

The section entitled 'Only "include" existing SPF records' at this URL explains in more depth:


Pete

Craig Knights

unread,
Aug 4, 2016, 10:21:01 PM8/4/16
to techies-f...@googlegroups.com
I haven't heard of bulk-...@n4l.co.nz before...

What's the difference to relay@ ?

ta
Craig

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jonathan Webster

unread,
Aug 4, 2016, 11:06:07 PM8/4/16
to techies-f...@googlegroups.com
It's another relay specifically designed for the sending of bulk email. It comes with the caveat that it's more likely to get black listed should a mail server sending though it get compromised given various sending limits have been relaxed.

To follow up on Pete and Tim's comments, the original advise by Tim was correct. We can't publish a TXT record for the domains ourselves to support include: as the same host record exists as a CNAME already within that zone to support our automatic DR/fail-over to our secondary site. 

So you could use:
GAFE: v=spf1 a:relay.n4l.co.nz a:bulk-relay.n4l.co.nz include:_spf.google.com ~all
 
hard-fail (-all) would be 'safer', however it does require more work on your part to maintain.



To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Jonathan Webster
Infrastructure Lead
The Network for Learning Ltd

DDI +64 9 222 2402  P 0800 LEARNING
A Suite 306, Geyser Building, 100 Parnell Road, Parnell, Auckland 1052
A PO Box 37118, Parnell, Auckland 1151 n4l.co.nz

Reply all
Reply to author
Forward
0 new messages