spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: spf entries for which hosts ???

2004-10-11 12:24:50
from [guy] [Permanent Link] 
Sorry if this is a re-post.  I did not seem to make it the first time.
Maybe my ISP's SMTP server is waiting for something?

Guy

-----Original Message-----
From: guy [mailto:pobox(_at_)watkins-home(_dot_)com] 
Sent: Monday, October 11, 2004 11:20 AM
To: 'spf-discuss(_at_)v2(_dot_)listbox(_dot_)com'
Subject: RE: [spf-discuss] spf entries for which hosts ???

When you say "all of your domains" I think this is not clear.
It should be "all of your domains, sub domains and hosts".
Examples:
a.tld. (domain)
www.a.tld. (host)
test.a.tld. (sub-domain)
www.test.a.tld. (host on a sub domain)

In this example a.tld would get an spf record, example:
        "v=spf1 ip4:192.168.0.0/24 -all"
All other domains, sub-domain and hosts would get:
        "v=spf1 -all"

Maybe it is just a terminology thing.  But I have never called a host a
domain, the domain is the part to the right of the host name.  If I am using
the terminology incorrectly, sorry.  The above is a very common mistake.
Most sites that I have found that have an spf record, don't have an spf
record for www.domain.com.

It is not just you.  The spf docs, faqs and such are not clear on this.  And
this seems like a very important issue, since sub-domains and hosts can be
used to forge emails.

Try it:
dig +short txt ebay.com.
dig +short txt www.ebay.com.
dig +short txt aol.com.
dig +short txt www.aol.com.

Guy

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Koen 
Martens
Sent: Monday, October 11, 2004 7:17 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] spf entries for which hosts ???

Hi,

This is more of an spf-help question, but anyway:

You want to publish spf records for _all_ of your domains (think about
how spf checking works, and what it protects against). For those domains
that are used in MAIL FROM / envelope from or HELO you want to publish
spf records which contain all of your _outgoing_ mail servers. 

Eg. if you have domains a.tld, b.tld, c.tld and all your outgoing mail
servers are in the IP block 192.168.0.0/24 (that is 192.168.0.0 till
192.168.0.255 as you probably already knew) then you would publish
"v=spf1 ip4:192.168.0.0/24 -all" (or ~all of course, for testing
initially). If you also have www.a.tld, www.b.tld, etc.. which are never
ever used for MAIL FROM or HELO, publish "v=spf1 -all" for those
domains.

Some more documentation to read:

http://spf.pobox.com/mechanisms.html
http://spf.pobox.com/faq.html

and the 'background reading' stuf fin the sitemap of spf.pobox.com

Hope this helps,

Koen

On Mon, Oct 11, 2004 at 11:25:46AM +0200, Margrit Lottmann wrote:

We are interested in SPF.
I'm the postmaster from our university.

We're working with a number of virtual domains
     uni-magdeburg.de      for functional addresses
     urz.uni-magdeburg.de  compute centre
     mathematik.uni-magdeburg.de mathematics
     ...
(in the DNS there are MX records that control smtp transfer
 to that domains to our mailrelay servers (exim MTA)

There are also a number of smtp servers that send/receive
emails to/from that mailrelay servers.

If there are following servers

  server1.urz.uni-magdeburg.de
  server2.et.uni-magdeburg.de
  server3.math.uni-magdeburg.de

that can send emails with the domain part urz.uni-magdeburg.de
...

Which spf entries I have to write for server1,server2,server3 ???


--
Mit freundlichen Gruessen  
M.Lottmann

 Otto - von - Guericke  Universitaet      __  __   ____ _____         _

__

               Magdeburg                 / / / /  / __ \__  /        / | /

/

 ------------------------------------   / / / /  / /_/ / / / ______ /  |/

/

           Margrit Lottmann            / /_/ /  / _, _/ / /_______// /|  /
       Universitaetsrechenzentrum      \____/  /_/ |_| /____/     /_/ |_/
         Netze & Kommunikation

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta

features SPF and Sender ID.

To unsubscribe, change your address, or temporarily deactivate your

subscription, 

please go to

http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

-- 
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription, 
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: spf entries for which hosts ???, Meng Weng Wong
Next by Date:  Re: spf entries for which hosts ???, Meng Weng Wong
Previous by Thread:  Re: spf entries for which hosts ???, Greg Connor
Next by Thread:  Re: spf entries for which hosts ???, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]