Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Assistance with SPF Records for BIND
603 views
Skip to first unread message
Jonathan Vomacka
Feb 18, 2012, 11:51:10 AM2/18/12
to bind-...@lists.isc.org
BIND Community Support,
I am inquiring about how to setup a proper SPF record? I know there are
SPF wizards/generators available but each seem to have a different
"opinion" of what should be included and what should not be included.
Let me give you a scenario of my setup, and hopefully someone can help
me out.
My domain is: test.com
My mailserver hostname is: mail.host.com which also has a MATCHING PTR
record
mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
to mail.host.com
This is a STANDALONE mail server without any VIP's or load balancing.
There is however one additional host that will send out mail from the
domain but it wont be receiving mail, it will only be used as an SMTP
server attached to a website automailer... It only generates error
reports and sends them out... so technically it isn't a full mail server
but it will be sending (outbound only) mail on behalf of the domain.
The additional host is: mail2.test.com which resolves to 50.2.2.2 and
there is a Matching PTR.
These are the ONLY mail servers and IP addresses that will be sending
out mail from the test.com domain. Some websites say I should use -all
and others say -all will cause some MTA's to reject and ~all is better
to use even if those are the only two hosts sending out mail.
Would you be able to assist with a solid SPF record?
I am inquiring about how to setup a proper SPF record? I know there are
SPF wizards/generators available but each seem to have a different
"opinion" of what should be included and what should not be included.
Let me give you a scenario of my setup, and hopefully someone can help
me out.
My domain is: test.com
My mailserver hostname is: mail.host.com which also has a MATCHING PTR
record
mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
to mail.host.com
This is a STANDALONE mail server without any VIP's or load balancing.
There is however one additional host that will send out mail from the
domain but it wont be receiving mail, it will only be used as an SMTP
server attached to a website automailer... It only generates error
reports and sends them out... so technically it isn't a full mail server
but it will be sending (outbound only) mail on behalf of the domain.
The additional host is: mail2.test.com which resolves to 50.2.2.2 and
there is a Matching PTR.
These are the ONLY mail servers and IP addresses that will be sending
out mail from the test.com domain. Some websites say I should use -all
and others say -all will cause some MTA's to reject and ~all is better
to use even if those are the only two hosts sending out mail.
Would you be able to assist with a solid SPF record?
Sten Carlsen
Feb 18, 2012, 11:55:26 AM2/18/12
to Jonathan Vomacka, bind-...@lists.isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
Jonathan Vomacka
Feb 18, 2012, 12:34:53 PM2/18/12
to Sten Carlsen, bind-...@lists.isc.org
If someone uses a mobile device to send e-mail? Would ~all be better? I
also generated the following SPF using a wizard. Let me know if this
looks correct:
teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com
a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
I wouldn't need an "include:" or "ptr" statement in this right? I would
told "include:" was to include OTHER domains that are allowed to send
e-mail, but then again I see some people writing the domain again as an
include. Also is PTR good to use or not?
Sten,
I read over the link but am still a bit confused.
also generated the following SPF using a wizard. Let me know if this
looks correct:
teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com
a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
I wouldn't need an "include:" or "ptr" statement in this right? I would
told "include:" was to include OTHER domains that are allowed to send
e-mail, but then again I see some people writing the domain again as an
include. Also is PTR good to use or not?
Sten,
I read over the link but am still a bit confused.
Sten Carlsen
Feb 18, 2012, 3:05:35 PM2/18/12
to Jonathan Vomacka, bind-...@lists.isc.org
Well, there are two parts of this:
1 - make a decision which servers are allowed to send mail on your behalf - this is entirely up to you. This is expressed in terms of server names, IP addresses etc.
You may decide that ONLY <these> servers may send mail or that other servers are allowed to also send mail. One example is a portable computer, may that use a local server to send mail or should that be considered bogus?
2 - express these decisions in an spf statement - this is where the RFC comes into play, explaining how to interpret the statements.
You need to make decision #1 yourself.
1 - make a decision which servers are allowed to send mail on your behalf - this is entirely up to you. This is expressed in terms of server names, IP addresses etc.
You may decide that ONLY <these> servers may send mail or that other servers are allowed to also send mail. One example is a portable computer, may that use a local server to send mail or should that be considered bogus?
2 - express these decisions in an spf statement - this is where the RFC comes into play, explaining how to interpret the statements.
You need to make decision #1 yourself.
Noel Butler
Feb 18, 2012, 11:03:21 PM2/18/12
to bind-...@lists.isc.org
SPF "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all"
TXT "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all" <-- This is to support antiquated resolvers who dont understand SPF record
-all will reject if the mail is not from one of the above, this is entire purpose of SPF, to stop dead impersonators.
~all is a softfail, intended for the initial testing phase, so you can use ~all if you are widening your scope, but if only those two above IP's will send mail for your domain, just use -all and make sure all of your users configured smtp auth to send by either of those two machines.
TXT "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all" <-- This is to support antiquated resolvers who dont understand SPF record
-all will reject if the mail is not from one of the above, this is entire purpose of SPF, to stop dead impersonators.
~all is a softfail, intended for the initial testing phase, so you can use ~all if you are widening your scope, but if only those two above IP's will send mail for your domain, just use -all and make sure all of your users configured smtp auth to send by either of those two machines.
ml
Feb 19, 2012, 11:00:41 AM2/19/12
to bind-...@lists.isc.org
to simply is better
my TXT record
~]$ host -t txt fakessh.eu 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
fakessh.eu descriptive text "spf2.0/pra ip4:46.105.34.177
ip4:91.121.7.86 ?all"
fakessh.eu descriptive text "spf2.0/mfrom ip4:46.105.34.177
ip4:91.121.7.86 ~all"
fakessh.eu descriptive text "v=spf1 ip4:46.105.34.177 ip4:91.121.7.86
?all"
it is OK for all ISP
Le 2012-02-18 17:55, Sten Carlsen a écrit :
> Hi
>
> I suggest to use the wizards or look in the RFC:
> http://www.ietf.org/rfc/rfc4408.txt [4]
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users [1]
>> https://lists.isc.org/mailman/listinfo/bind-users [3]
> ------
> [1] https://lists.isc.org/mailman/listinfo/bind-users
> [2] mailto:bind-...@lists.isc.org
> [3] https://lists.isc.org/mailman/listinfo/bind-users
> [4] http://www.ietf.org/rfc/rfc4408.txt
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://urlshort.eu fakessh @
http://gplus.to/sshfake
http://gplus.to/sshswilting
http://gplus.to/john.swilting
https://lists.fakessh.eu/mailman/
This list is moderated by me, but all applications will be accepted
provided they receive a note of presentation
my TXT record
~]$ host -t txt fakessh.eu 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
fakessh.eu descriptive text "spf2.0/pra ip4:46.105.34.177
ip4:91.121.7.86 ?all"
fakessh.eu descriptive text "spf2.0/mfrom ip4:46.105.34.177
ip4:91.121.7.86 ~all"
fakessh.eu descriptive text "v=spf1 ip4:46.105.34.177 ip4:91.121.7.86
?all"
it is OK for all ISP
Le 2012-02-18 17:55, Sten Carlsen a écrit :
> Hi
>
> I suggest to use the wizards or look in the RFC:
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users [1]
>> to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-...@lists.isc.org [2]
>>
>> bind-users mailing list
>> https://lists.isc.org/mailman/listinfo/bind-users [3]
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
> "MALE BOVINE MANURE!!!"
>
>
>
> Links:
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
> "MALE BOVINE MANURE!!!"
>
>
>
> ------
> [1] https://lists.isc.org/mailman/listinfo/bind-users
> [2] mailto:bind-...@lists.isc.org
> [3] https://lists.isc.org/mailman/listinfo/bind-users
> [4] http://www.ietf.org/rfc/rfc4408.txt
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://urlshort.eu fakessh @
http://gplus.to/sshfake
http://gplus.to/sshswilting
http://gplus.to/john.swilting
https://lists.fakessh.eu/mailman/
This list is moderated by me, but all applications will be accepted
provided they receive a note of presentation
Noel Butler
Feb 19, 2012, 9:00:52 PM2/19/12
to bind-...@lists.isc.org
On Sun, 2012-02-19 at 17:00 +0100, ml wrote:
fakessh.eu descriptive text "spf2.0/pra ip4:46.105.34.177 ip4:91.121.7.86 ?all"
fakessh.eu descriptive text "v=spf1 ip4:46.105.34.177 ip4:91.121.7.86 ?all"
Why did you bother with the record at all?
"Question mark" indicates you don't care and the remote should bascially ignore it.
Waste of time, please do some homework before making such foolish recommendations
Sten Carlsen
Feb 20, 2012, 6:12:20 AM2/20/12
to bind-...@lists.isc.org
Just my point. SPF is a "message" from the sender of mail to the
receiver of mail, describing which senders(hosts, networks) are
allowed to expedite mail for the sender. The message is delivered
via DNS.
It is up to the sender to make the rules and nobody can do that for you, of course it may be good to get inspiration from others. E.g. if you know that ALL valid mail will be sent from ONE server, you can describe that, if valid mail can be sent from ANY host, that can be described as well. This information is meant to be used to evaluate whether a mail from you is valid or more likely spam. Only you know what the contents should be.
It is up to the sender to make the rules and nobody can do that for you, of course it may be good to get inspiration from others. E.g. if you know that ALL valid mail will be sent from ONE server, you can describe that, if valid mail can be sent from ANY host, that can be described as well. This information is meant to be used to evaluate whether a mail from you is valid or more likely spam. Only you know what the contents should be.
0 new messages