Stuart D. Gathman wrote:
On Fri, 8 Jul 2005, John Hinton wrote:
Given the above.... will the following record be my best alternative for
that 'starting point'? I don't yet know 'mx' nor 'ip'. I can't reason
that more could be a safe solution.
@ IN TXT "v=spf1 ?all"
I would suggest that you start with obvious stuff you know about,
like their host. Your default record should indeed end with ?all
until the user has gone through the requirements for "strict" mode.
For comparison, I "guess" the following default record for any domain
with no SPF record: "v=spf1 a mx ptr ?all".
Your default should be something similar - but optimized for what you
do know about your customer.
I guess this is the point. It is likely to take me about 300 hours of
phone calls to get to what I 'need to know about what they are doing'.
That's too long.
I have set this record on innserver.com.. which incidentally does use
mail, so I'm playing there. :)
@ IN TXT "v=spf1 a:mail.innserver.com ip4:64.203.174.0/24
ip4:209.145.89.234 ?all"
1) I know that I have 'a' records for every domain's mail set to
mail.example.com.
2) I know on which IP the domain resides... such as on the class C
listed above.
3) I know that I have a remote backup mailserver at the 209.145.89.234
IP address available to almost all my domains.
4) I do not know what mailserver they are sending through or really what
from address they are using, but do know many use their domain in that
address.
5) I can sort out with a good bit of time if we are doing simple
forwards to their ISP account.... sort of. They could still be using
their UNIX user account.
6) I do know that some are using 'other' mailservers. Some of which like
postini are doing filtering and sending to us at UNIX username.
7) I do know I have some for which I only manage DNS, but do no other
services.
8) I do know that if they use webmail, (SquirrelMail) the mail 'will' be
going out from our IPs.
9) I 'know' my accounts and am not worried about cross user forgery. If
it happened, it would likely be accidental and as this is a very
tight-knit group, it would be a HUGE embarrassment to be caught.
10)I know most of my users can barely set up an Outlook account, much
less tell me what they set up... and DNS???? What's that? Therefore, it
will likely take at least a half hour on the phone to each one.
I am not at this moment planning to add SPF records for systems outside
of my control... postini and those for whom I only manage DNS.
I'm not sure I follow the reasoning in the above example.. are you
saying to put in 'a mx ptr' with no additional information, or saying to
put in domain info like:
a:example.com mx:example.com ptr:example.com
Which seems to me would/could break things badly?
So, how's all of that for a reality check from the real world? ;) It
would be soooo much easier to be AOL right now.
Best,
John Hinton