Re: SPF and Webmin

John Hinton wrote:
> Jamie Cameron, the person behind Webmin, is adding some functions to the 
> interface to add/edit SPF records to the Bind module and the Virtualmin 
> module. He has asked me to summarize the differences between +,-,~ and 
> ?. But I think we need to know even a bit more. I have put together the 
> following, hoping to get a review/edit.. as I sure don't want to lead 
> this project off in a wrong direction. Looks like a lot of my statements 
> are bringing out how much I don't yet know about it. It would be nice to 
> provide more positive positions on some of the details below and check 
> to see that I have in fact used terminology that is in line with what is 
> standard. Also, have I missed any important item within the spec. I 
> particularly need help on the ptr section and at the end as I'm not sure 
> about that last statement at all.
> I would also like to include an example of a 'shortest least 
> restrictive' entry. For instance.. would this work?
> ew3d.net. IN TXT "v=spf1 a mx +all"
>
> Just to show the two ends of the spectrum, even though +all or all 
> should not be the 'suggested' choice.
> Thanks,
> John Hinton
>
> ----begin proposed rough email to webmin group--------
>
> Record types include the following.
>
> a, mx, ip, ptr, include, all.
>
> Surity flags for the above.
>
> + or none: allowed source
> - -: forbidden source
> ?: unknown status source
> ~: very questionable source
>
> An example SPF entry:
>
> ew3d.net. IN TXT "v=spf1 ip4:64.203.174.0/24 ip4:209.145.89.0/24 a mx 
> ptr a:superstatz.com mx:superstatz.com include:ew3d.com ?all"
> v=spf1      This says we have a spf version 1 record.
>
> ip4:64.203.174.0/24     states that this class C is an allowed email 
> network... just like the + sign. I think the limit to these entries is 10.
> ip4:209.145.89.235 adds this IP as allowed as well
>
> a         grabs the a record for this ew3d.net domain
> a:superstatz.com        means this domain is ok too
>
> mx        grabs the mx record for this domain
>
> mx:superstatz.com       says the mx record for superstat.com is ok too.
>
> ptr       Is a working option, but a resource hog according to many. I 
> don't know more, but I feel like it follows the same rule orders as the 
> rest, should a choice be made to use it. ptr does not need to be 
> included in the record at all.
> include:ew3d.com         says to include the SPF record from ew3d.com, 
> which is great, because how are we ever going to figure out ISP records 
> and keep up the with changes. The downside, if you use an include, you 
> better be sure that the domain HAS a SPF record. Tricky business here, 
> but a great tool.
> 'all' is the catchall so to speak. What to do with anything that is not 
> covered by the above.
> '+all' or 'all' means I have a SPF record but no limits set for use of 
> my domain name (will likely be rejected or scored poorly by the big ISPs 
> fairly early on).
> '?all' states that I'm not really sure of every instance of mail use, 
> but don't want complete access like 'all'.
> '~all' means I'm pretty darned certain I'm right, but I could be wrong, 
> allow some exceptions.
> '-all' states that I have my act together and there are no other 
> unlisted options.
> It seems that the +, -, ? and ~ can be used in front of at least some if 
> not all of the other entries. So
> -a:superstatz.com would be saying this domain is for sure not an 
> acceptable source.
I use webmin and I just use the "file edit" facility for the zonefile and enter the 
appropriate TXT record. Could Jamie not use the regexp that Wayne produced?  Webmin can 
not define the correctness of the contents a record - only the correctness of the syntax.

Slainte
JohnP