[CentOS] SPF Record questions

Jonathan Vomacka juvix88 at gmail.com
Sat Feb 18 18:16:51 UTC 2012



On 2/18/2012 12:53 PM, Reindl Harald wrote:
>
>
> Am 18.02.2012 18:33, schrieb Jonathan Vomacka:
>>>>> -all will cause some MTA's to reject
>>>
>>> then they are badly broken
>>>
>>>>> ~all is better to use
>>>
>>> this means SPF is in testing mode and not enforced
>>> some servers may use them for scoring but they will
>>> never be used for blocking spoofed messages from
>>> wrong sender-addresses
>>> _____________________
>>>
>>> however, below are SPF-compliant records working since
>>> years for some hundret domains, maybe your BIND-version
>>> does not support record-type "SPF" (Recent Fedora does)
>>>
>>> RFC says a SPF-compliant domain should use both
>>>
>>> and yes i prefer ip4 instead A/MX because this is enforcing
>>> a lower count of dns requests at all and our internal dns
>>> baclend is able to translate configured hostnames to IP
>>> while generating the zone-files from the database
>>> _____________________
>>>
>>> @    IN TXT    "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>> @    IN SPF    "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>>
>>> subdomain1    IN TXT    "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>> subdomain1    IN SPF    "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 -all"
>>>
>>
>> Reindl,
>>
>> What about if someone uses a mobile device to send e-mail?
>
> what is the difference between a mobile device and a customer
> at home on his workstation? there is no one! bot have to use
> the SMTP for their account
>
>> Would ~all be better?
>
> it is making less trouble for people using their ISP-MTA
> but this people are acting wrong and if you want to enforce
> SPF they must not do this, if you want life easy for people
> who acting wrong you CAN NOT enforce SPF at all
>
>> I also generated the following SPF
>> using a wizard. Let me know if this looks correct:
>>
>> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com a:mail2.teamwarfare.com ip4:66.90.73.80
>> ip4:216.250.250.148 ~all"
>
> looks OK, without enforcing
>
> i made the expierience in the last years that A/MX in SPF makes
> often troubles since there are more dns-requestes need on the
> receiver and this is raised up with every entry of these types
> in your SPF - ip4 does not need additional requests
>
> they often produced false positives, never seen again since changed to ip4
>
>> I wouldn't need an "include:" or "ptr" statement in this right? I would told "include:" was to include OTHER
>> domains that are allowed to send e-mail, but then again I see some people writing the domain again as an include.
>> Also is PTR good to use or not?
>
> no idea
>
> i am using strictly ip4-entries and do not mixing domains
> all users are instructed to use "mail.ourdomain.tld" and
> there are not existing dns-records in customer domains as
> also all MX-records of them are poining FQ to our spam-firewall
>

Reindl,

I am sorry to ask this, but is it possible you can modify my PTR record 
that I submitted above with how you would enter it into BIND? I want to 
make sure I accurately enter this.



More information about the CentOS mailing list