On 2/18/2012 12:53 PM, Reindl Harald wrote:
Am 18.02.2012 18:33, schrieb Jonathan Vomacka:
-all will cause some MTA's to reject
then they are badly broken
~all is better to use
this means SPF is in testing mode and not enforced some servers may use them for scoring but they will never be used for blocking spoofed messages from wrong sender-addresses _____________________
however, below are SPF-compliant records working since years for some hundret domains, maybe your BIND-version does not support record-type "SPF" (Recent Fedora does)
RFC says a SPF-compliant domain should use both
and yes i prefer ip4 instead A/MX because this is enforcing a lower count of dns requests at all and our internal dns baclend is able to translate configured hostnames to IP while generating the zone-files from the database _____________________
@ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
Reindl,
What about if someone uses a mobile device to send e-mail?
what is the difference between a mobile device and a customer at home on his workstation? there is no one! bot have to use the SMTP for their account
Would ~all be better?
it is making less trouble for people using their ISP-MTA but this people are acting wrong and if you want to enforce SPF they must not do this, if you want life easy for people who acting wrong you CAN NOT enforce SPF at all
I also generated the following SPF using a wizard. Let me know if this looks correct:
teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
looks OK, without enforcing
i made the expierience in the last years that A/MX in SPF makes often troubles since there are more dns-requestes need on the receiver and this is raised up with every entry of these types in your SPF - ip4 does not need additional requests
they often produced false positives, never seen again since changed to ip4
I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. Also is PTR good to use or not?
no idea
i am using strictly ip4-entries and do not mixing domains all users are instructed to use "mail.ourdomain.tld" and there are not existing dns-records in customer domains as also all MX-records of them are poining FQ to our spam-firewall
Reindl,
I am sorry to ask this, but is it possible you can modify my PTR record that I submitted above with how you would enter it into BIND? I want to make sure I accurately enter this.
On 02/18/2012 12:16 PM, Jonathan Vomacka wrote:
On 2/18/2012 12:53 PM, Reindl Harald wrote:
A great resource is www.openspf.net. It has a lot of information on formatting SPF records and a tool that will help you test your rules.
Hope that helps!
-
Jay Leafey -
Jonathan Vomacka