spf-discuss
[Top] [All Lists]

Re: [spf-discuss] More detail on subdomains

2010-02-12 15:43:05
At 20:38 12/02/2010  Friday, James R. Marcus wrote:
Okay
I'll set an SPF to tell the world not accept email from @www.edhance.com with 
<http://www.edhance.com>www.edhance.com  IN TXT "v=spf1 -all" correct?

yup

The part that I'm not quite clear on is the part with the relay hosts. The 
relay hosts <http://relay1.edhance.com>relay1.edhance.com and 
<http://relay0.edhance.com>relay0.edhance.com don't have txt record but they 
are in the <http://edhance.com>edhance.com TXT record.  To be extra safe 
should I add a txt record for each of the relays like this: 
<http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 
ip4:67.110.143.100 -all" & <http://relay0.edhance.com>relay0.edhance.com.  IN 
TXT "v=spf1 ip4:67.110.143.99 -all"?

yes as spf is used for 2 things
to verify the sender-envelope ie user(_at_)edhance(_dot_)com {the spf/txt 
record for edhance.com}
and spf is used to verify the HELO greeting from your servers {the spf/txt 
record for relay0.edhance.com and relay1.edhance.com}

additionally as mail.edhance.com is used for nether it should not have "v=spf1 
a -all" it should have "v=spf1 -all" like www.edhance.com and any other 
existing dns record with an A not used as a sending envelope or a helo greeting


Thanks,
James





On Feb 12, 2010, at 3:09 PM, alan wrote:

At 19:24 12/02/2010  Friday, James R. Marcus wrote:
Yesterday I changed completely our SPF record to -all from ~all.  I started 
reading the common mistakes section of the website and wasn't completely 
sure about this part

"Publish null SPF records for your domains that don't send mail
Once you've protected your mail sending domains with SPF, if someone is 
trying to spoof you, then first thing they will try is to spoof your 
non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends 
no mail. As an example, you might publish:

<http://example.com>example.com.       IN  TXT  "v=spf1 a:mail.example.com 
-all"
<http://mail.example.com>mail.example.com.  IN  TXT  "v=spf1 a -all"
<http://www.example.com>www.example.com.   IN  TXT  "v=spf1 -all"
"

Are there a list of common subdomains I'm supposed to add TXT records for or 
just just simple ones I can think of?

no just any that already exist in your DNS records with an A or MX record 
[there is no point creating new ones]
{any domains without an A or MX record will already be rejected by most 
mail-recievers}

but i would point out from looking at you mail to the list that your server 
actually sends with the name
<http://relay1.edhance.com>relay1.edhance.com 
(<http://relay1.edhance.com>relay1.edhance.com [67.110.143.100

so you MUST have
<http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 a -all"
or
<http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 
ip4:67.110.143.100 -all"

if you want to be kinder to us all and save us the extra lookups

if you have a second machine sending as 
<http://mail.edhance.com>mail.edhance.com the above is fine IF not you can 
set <http://mail.edhance.com>mail.edhance.com to v=spf1 -all



I have shutdown SMTP access to all but my to relay servers on the network. 
But if I don't want email to come from 
<mailto:username(_at_)www(_dot_)edhance(_dot_)com>username(_at_)www(_dot_)edhance(_dot_)com,
do I just add this:
<http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all"

exactly {this dosn't stop mail comming from xxx(_at_)domain, it just enables 
receivers to tell it is obviously a forgery and reject it if it does, but 
also as spammer aren't so dumb it does tend to stop them trying}


thanks,
James





-------------------------------------------
Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org 
[http://www.openspf.org]
Modify Your Subscription: 
<http://www.listbox.com/member/>http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: 
<https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
RSS Feed: 
<https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: <http://www.listbox.com>http://www.listbox.com



-------------------------------------------
Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org 
[http://www.openspf.org]
Modify Your Subscription: 
<http://www.listbox.com/member/>http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: 
<https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
RSS Feed: 
<https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: <http://www.listbox.com>http://www.listbox.com

:: James R. Marcus | Director, IT Operations
:: Edhance | 
<x-msg://103/jmarcus(_at_)edhance(_dot_)com>jmarcus(_at_)edhance(_dot_)com 
:: v: 617-475-5360 | m: 914-772-8533
:: web: <http://www.edhance.com/>www.edhance.com

Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org
Modify Your Subscription: 
<http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/>




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com