[CentOS] SPF Record questions

Sat Feb 18 17:33:18 UTC 2012
Jonathan Vomacka <juvix88 at gmail.com>

On 2/18/2012 12:05 PM, Reindl Harald wrote:
> Am 18.02.2012 17:53, schrieb Jonathan Vomacka:
>> I am inquiring about how to setup a proper SPF record. I know there are
>> SPF wizards/generators available but each seem to have a different
>> "opinion" of what should be included and what should not be included.
>> Let me give you a scenario of my setup, and hopefully someone can help
>> me out.
>> My domain is: test.com
>> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
>> record
>> mail.host.com (for example) resolves to and resolves
>> to mail.host.com
>> This is a STANDALONE mail server which will receive and send email
>> without any VIP's or load balancing. There is however one additional
>> host that will send out mail from the domain but it wont be receiving
>> mail, it will only be used as an SMTP (outbound only) server attached to
>> a website automailer which is on a seperate webserver... It only
>> generates error reports and sends them out... so technically it isn't a
>> full mail server but it will be sending (outbound only) mail on behalf
>> of the domain.
>> The additional host is: mail2.test.com which resolves to and
>> there is a Matching PTR.
>> These are the ONLY mail servers and IP addresses that will be sending
>> out mail from the test.com domain. Some websites say I should use -all
>> and others say -all will cause some MTA's to reject and ~all is better
>> to use even if those are the only two hosts sending out mail.
>> Would you be able to assist with a solid SPF record?
>>> -all will cause some MTA's to reject
> then they are badly broken
>>> ~all is better to use
> this means SPF is in testing mode and not enforced
> some servers may use them for scoring but they will
> never be used for blocking spoofed messages from
> wrong sender-addresses
> _____________________
> however, below are SPF-compliant records working since
> years for some hundret domains, maybe your BIND-version
> does not support record-type "SPF" (Recent Fedora does)
> RFC says a SPF-compliant domain should use both
> and yes i prefer ip4 instead A/MX because this is enforcing
> a lower count of dns requests at all and our internal dns
> baclend is able to translate configured hostnames to IP
> while generating the zone-files from the database
> _____________________
> @	IN TXT	"v=spf1 ip4: ip4: -all"
> @	IN SPF	"v=spf1 ip4: ip4: -all"
> subdomain1	IN TXT	"v=spf1 ip4: ip4: -all"
> subdomain1	IN SPF	"v=spf1 ip4: ip4: -all"


What about if someone uses a mobile device to send e-mail? Would ~all be 
better? I also generated the following SPF using a wizard. Let me know 
if this looks correct:

teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com 
a:mail2.teamwarfare.com ip4: ip4: ~all"

I wouldn't need an "include:" or "ptr" statement in this right? I would 
told "include:" was to include OTHER domains that are allowed to send 
e-mail, but then again I see some people writing the domain again as an 
include. Also is PTR good to use or not?