On 2/18/2012 12:05 PM, Reindl Harald wrote: > > > Am 18.02.2012 17:53, schrieb Jonathan Vomacka: >> I am inquiring about how to setup a proper SPF record. I know there are >> SPF wizards/generators available but each seem to have a different >> "opinion" of what should be included and what should not be included. >> >> Let me give you a scenario of my setup, and hopefully someone can help >> me out. >> >> My domain is: test.com >> My mailserver hostname is: mail.host.com which also has a MATCHING PTR >> record >> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves >> to mail.host.com >> >> This is a STANDALONE mail server which will receive and send email >> without any VIP's or load balancing. There is however one additional >> host that will send out mail from the domain but it wont be receiving >> mail, it will only be used as an SMTP (outbound only) server attached to >> a website automailer which is on a seperate webserver... It only >> generates error reports and sends them out... so technically it isn't a >> full mail server but it will be sending (outbound only) mail on behalf >> of the domain. >> >> The additional host is: mail2.test.com which resolves to 50.2.2.2 and >> there is a Matching PTR. >> >> These are the ONLY mail servers and IP addresses that will be sending >> out mail from the test.com domain. Some websites say I should use -all >> and others say -all will cause some MTA's to reject and ~all is better >> to use even if those are the only two hosts sending out mail. >> >> Would you be able to assist with a solid SPF record? > >>> -all will cause some MTA's to reject > > then they are badly broken > >>> ~all is better to use > > this means SPF is in testing mode and not enforced > some servers may use them for scoring but they will > never be used for blocking spoofed messages from > wrong sender-addresses > _____________________ > > however, below are SPF-compliant records working since > years for some hundret domains, maybe your BIND-version > does not support record-type "SPF" (Recent Fedora does) > > RFC says a SPF-compliant domain should use both > > and yes i prefer ip4 instead A/MX because this is enforcing > a lower count of dns requests at all and our internal dns > baclend is able to translate configured hostnames to IP > while generating the zone-files from the database > _____________________ > > @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > > subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" > > > Reindl, What about if someone uses a mobile device to send e-mail? Would ~all be better? I also generated the following SPF using a wizard. Let me know if this looks correct: teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all" I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. Also is PTR good to use or not?