spf-discuss
[Top] [All Lists]

Re: Hosting Company SPF Default Setting

2005-07-08 10:58:28
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Hinton wrote:
In the meantime, for about a two weeks, I've tried to get a reliable
answer to this question......

I am a hosting company. I have users set up with just about every
conceivable method for dealing with email. I'm trying to establish a
default SPF record, so I can get them out of the Hotmail spambox and
before 'pressure' comes from more bigISPs to have records. Seems like
now is a good time to add this basic record.

Keep in mind, that I know I will need to contact each of my clients to
discusss email with them and come up with a 'custom' solution for their
domain/domains. All I want is a 'starting point'.

I have webmail, the easy one, mail being forwarded to other providers,
mail routed through the likes of postini, users POPing us but SMTPing
through their provider and users both POPing, SMTPing through us and
some which don't just the domain for mail at all.

So this gives you "a:webmail.example.net a:smtp.example.net" as
reliable entries for all your hosted domains (assuming you have good
cross-user forgery protections in place) where your outbound servers
apply. Perhaps even "ip4:127.0.0.5/28" with your outbound servers' IP
range.

It will take a LOT of time to weed through those individual situations
and have a (more) restrictive record for each. I feel I have no
alternative except to view this as a fluid situation, where in time, I
can become very restrictive yet precise.

Given the above.... will the following record be my best alternative for
that 'starting point'? I don't yet know 'mx' nor 'ip'. I can't reason
that more could be a safe solution.

@    IN    TXT    "v=spf1 ?all"

Close. I'd put the positive entries in for the servers you authorize
for them to use. This is safe and gives real benefits.
@    IN    TXT    "v=spf1 a:smtp.example.net ?all"
Would be a really good start. You could go to -all or ~all for
domains that agree to only use your servers for outbound mail.

The domains which use postini as their mailservers, which are then sent
to usernames on my system,  in particular are the ones that bother me,
but I can't myself see an issue on those with the above record.

Those are going to be difficult. The best you can probably do with
those is "v=spf1 ?a:bigISP.example ?a:coffeeshop.example -all" even
after consulting with the domain owner.

I'm ready to do this, but am asking for some assurance as I don't want
to be missing something obvious.

It looks like you have a good start. Good luck going forward.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCzr7E8/QSptFdBtURAgc8AJ0eG0saggqlFi1gfQuqWc3+Z+LSJwCfflEH
y40bDshUjIfy6RaEe2T+LQQ=
=GD4v
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>