spf-discuss
[Top] [All Lists]

RE: I hate to interrupt all this for something practical, but.... we need a concise, easy-to-follow set of SPF instructions in file format - anyone able to help?

2004-10-31 20:53:52
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Andrew 
W.Donoho
Sent: Wednesday, October 27, 2004 3:58 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Cc: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] I hate to interrupt all this for something
practical, but.... we need a concise, easy-to-follow set of SPF
instructions in file format - anyone able to help?



On Oct 26, 2004, at 14:06, Anne P. Mitchell, Esq.
<amitchell(_at_)isipp(_dot_)com> wrote:

Sorry to interrupt the fun, but, we need a set of "how to set up SPF
records" instructions which are very easy to follow, for (ideally) the
most commonly deployed set-ups (think on both an enterprise and
home-business server level).


Anne,

Here is my HOWTO for a home business server. Tell me which
creative commons license you would like and I'll assign it to you
with that license.

Andrew

snip

SOHO Mailhost with Blocked Port 25 (SMTP):

In the case that your ISP gives you a great deal on connectivity
but doesn't want you running unmanaged mailservers, you can make a
simple addition to your SPF record that will tell the world that
you route your outgoing mail through your ISPs mailhosts.

IN TXT "v=spf1 a:SMTP.ISP.net -all"

"SMTP.ISP.net" is the name of the server your ISP gave you to send
mail through. That is all there is to it.

It's more complex than this perhaps.  Generally, the name that the ISP gives
you actually resolves to multiple machines with different names/IP
adrresses.  For example, when I send mail via my domain hosts server, I
"send" mail to relay.pair.com.  This is actually 5 SMTP servers.
Fortunately, Pair.com publishes an SPF record for relay.pair.com, so your
solution works fine.

My cable modem provider is Comcast.  They publish no SPF record at all, so
I'l left to guess.  So, through trial and error I've come up with a,
hopefully, comprehensive list of IP addresses:

?ip4:204.127.202.0/24 ?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24
?ip4:63.240.76.0/24

I also have DSL as a backup (I work out of the house, so redundancy is
critical)).  For that, I use Megapathdsl.net.  They publish an SPF record,
but it's a bit complex, so the best bet is to include it in my record:

?include:megapathdsl.net

Additionally, all these are shared MTAs or IP blocks not under my control
that do not have strong technical measures in place to prevent
cross-customer forgery (this is true of almost all mail services today), so
I always put a ? in front of the mechanism so that it gives a NEUTRAL rather
than PASS result.  This is important, because I don't want other customers
of my providers to be able to forge my mail from address.

Also, you will almost certainly want MX in your record to support bounce
authentication even if people don't send mail from the MX.

Scott Kitterman


<Prev in Thread] Current Thread [Next in Thread>