On 2/18/2012 12:05 PM, Reindl Harald wrote:
Am 18.02.2012 17:53, schrieb Jonathan Vomacka:
I am inquiring about how to setup a proper SPF record. I know there are SPF wizards/generators available but each seem to have a different "opinion" of what should be included and what should not be included.
Let me give you a scenario of my setup, and hopefully someone can help me out.
My domain is: test.com My mailserver hostname is: mail.host.com which also has a MATCHING PTR record mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves to mail.host.com
This is a STANDALONE mail server which will receive and send email without any VIP's or load balancing. There is however one additional host that will send out mail from the domain but it wont be receiving mail, it will only be used as an SMTP (outbound only) server attached to a website automailer which is on a seperate webserver... It only generates error reports and sends them out... so technically it isn't a full mail server but it will be sending (outbound only) mail on behalf of the domain.
The additional host is: mail2.test.com which resolves to 50.2.2.2 and there is a Matching PTR.
These are the ONLY mail servers and IP addresses that will be sending out mail from the test.com domain. Some websites say I should use -all and others say -all will cause some MTA's to reject and ~all is better to use even if those are the only two hosts sending out mail.
Would you be able to assist with a solid SPF record?
-all will cause some MTA's to reject
then they are badly broken
~all is better to use
this means SPF is in testing mode and not enforced some servers may use them for scoring but they will never be used for blocking spoofed messages from wrong sender-addresses _____________________
however, below are SPF-compliant records working since years for some hundret domains, maybe your BIND-version does not support record-type "SPF" (Recent Fedora does)
RFC says a SPF-compliant domain should use both
and yes i prefer ip4 instead A/MX because this is enforcing a lower count of dns requests at all and our internal dns baclend is able to translate configured hostnames to IP while generating the zone-files from the database _____________________
@ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
Reindl,
What about if someone uses a mobile device to send e-mail? Would ~all be better? I also generated the following SPF using a wizard. Let me know if this looks correct:
teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. Also is PTR good to use or not?
-
Jonathan Vomacka