On 2/18/2012 12:53 PM, Reindl Harald wrote: > > > Am 18.02.2012 18:33, schrieb Jonathan Vomacka: >>>>> -all will cause some MTA's to reject >>> >>> then they are badly broken >>> >>>>> ~all is better to use >>> >>> this means SPF is in testing mode and not enforced >>> some servers may use them for scoring but they will >>> never be used for blocking spoofed messages from >>> wrong sender-addresses >>> _____________________ >>> >>> however, below are SPF-compliant records working since >>> years for some hundret domains, maybe your BIND-version >>> does not support record-type "SPF" (Recent Fedora does) >>> >>> RFC says a SPF-compliant domain should use both >>> >>> and yes i prefer ip4 instead A/MX because this is enforcing >>> a lower count of dns requests at all and our internal dns >>> baclend is able to translate configured hostnames to IP >>> while generating the zone-files from the database >>> _____________________ >>> >>> @ IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> @ IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> >>> subdomain1 IN TXT "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> subdomain1 IN SPF "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all" >>> >> >> Reindl, >> >> What about if someone uses a mobile device to send e-mail? > > what is the difference between a mobile device and a customer > at home on his workstation? there is no one! bot have to use > the SMTP for their account > >> Would ~all be better? > > it is making less trouble for people using their ISP-MTA > but this people are acting wrong and if you want to enforce > SPF they must not do this, if you want life easy for people > who acting wrong you CAN NOT enforce SPF at all > >> I also generated the following SPF >> using a wizard. Let me know if this looks correct: >> >> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80 >> ip4:216.250.250.148 ~all" > > looks OK, without enforcing > > i made the expierience in the last years that A/MX in SPF makes > often troubles since there are more dns-requestes need on the > receiver and this is raised up with every entry of these types > in your SPF - ip4 does not need additional requests > > they often produced false positives, never seen again since changed to ip4 > >> I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER >> domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include. >> Also is PTR good to use or not? > > no idea > > i am using strictly ip4-entries and do not mixing domains > all users are instructed to use "mail.ourdomain.tld" and > there are not existing dns-records in customer domains as > also all MX-records of them are poining FQ to our spam-firewall > Reindl, I am sorry to ask this, but is it possible you can modify my PTR record that I submitted above with how you would enter it into BIND? I want to make sure I accurately enter this.