Hi SPFers,
OK, If you would, please just check me here.
So, I want to add some SPF records to my DNS,
and add the checking ACLs to my Exim config.
About half way through my jdl.com zone, right after
my SOA stuff, I have this:
$ORIGIN jdl.com.
@ IN NS ns-a.cirr.com.
IN NS ns-b.cirr.com.
IN MX 10 chrome.jdl.com.
chrome IN A 192.207.126.5
jdl.com. IN A 192.207.126.5
It works, but I won't swear it is perfect. :-)
So, I think I want to add this:
TXT "v=spf1 mx default=deny"
or maybe this:
TXT "v=spf1 mx ptr default=deny"
and I think I want to place it right after my NS lines
and before by MX line, though that is really a matter of style.
I don't need to start those SPF TXT records with "jdl.com." because
it is in the "$ORIGIN jdl.com." block, right?
I only send mail from the one machine chrome.jdl.com, aka jdl.com.
I don't really need the "ptr" in my SPF record, right?
I only have this PTR:
$ORIGIN 126.207.192.in-addr.arpa.
5 IN PTR jdl.com.
At the risk of sounding dumb, can someone clarify the "deny"
vs "softdeny" for me. In particular, _when_ does this come
into play? I am willing to just state from the onset that I
am the only publisher of mail from the "jdl.com" domain and
all others are forged. Anyone else who actually tries to use
the domain is forging it. So I should use "deny" directly, right?
But wait! Who is checking it? All of _your_ MTAs, right?
Not mine, right? This is the crux of the biscuit: When you
receive mail purporting to be from "jdl.com", you talk to my
DNS and say, "Yo, TXT records please!" and I tell you straight
up to 'deny' (or 'softdeny') a spoofer. Am I close?
OK, so by publishing the SPF record here at jdl.com, no one
can spoof me. Cool. Next step.
In order to reap the benefits of _your_ SPF records, I need
to get my MTA to request your DNS TXT records and honor them.
I use exim 4.22 these days, so I visited:
http://spf.pobox.com/exim4.spf.acl.txt
Before I drop this bad boy in place, can I get an "It works!"
confirmation? Also, a minor clarification as to where it
needs to live. I can see that it is part of the RCPT ACL.
That's cool. I already have a 10 part RCPT ACL sequence,
and this needs to be added in there. Where? Early, late,
before or after blacklisting, RBL lookups, etc.
My guess here is that it doesn't much matter except that
"effeciency" should be considered. Get the easy, cheap
tests done first and put this either just before or after
say, the RBL lookups, but before the series of "accept" ACLs
near the end.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡