Search Again: Re: spf support in QuickDNS? From: Men & Mice Support Date: Monday, August 16, 2004 Time: 9:54:00 am Of course you need an SPF record for every "virtual" domain. Think of an SPF record as an MX record for sending mail, instead of for receiving it. Any domain that sends email (i.e. that has a user that sends email) should have an SPF record (if you're choosing to participate in the SPF test roll-out at all). ____________________________________________________________________ For those who are not yet familiar, an SPF record has the following format: Record name = a domain name that you want to use in an email address, after the @ symbol. Record type = TXT Record data = an SPF-formatted string of space-delimited identifiers. The first identifier gives the SPF version. The last is usually "-all". The ones in between provide means of identifying the mail servers that are allowed to send (relay) mail for the domain name in question. Types of identifiers are below. a This means that the record's name should be queried for A records to find allowed hosts. a:smtp.menandmice.is This explicitly identifies the Men & Mice outbound mail relay. mx This means that the record's name should be queried for MX records, and the mailhosts listed therein should be looked up, to find allowed hosts. mx:menandmice.is This says that any host listed in an MX record named menandmice.is is permitted to send mail for this domain. ptr Bad idea. Don't use this. It's possible to forge a PTR record, so security based on PTR records is hardly secure. Instead, use the ip4 identifier to specify a subnet. ip4:192.168.1.1 This address can send mail for the domain name. ip4:192.168.1.0/24 Any machine on this subnet can send mail for the domain name. Use only for subnets you feel you can trust, since if someone malicious can put a machine on the physical network (through any means at all, including sneaking in a wifi- and ethernet-enabled PDA running Linux to act as a gateway), they can then send mail from your domain. include:menandmice.is Look for SPF records named menandmice.is and allow any host that's allowed for that domain. Use sparingly, but this is useful if you ever relay mail through your ISP or NSP. In such cases, you're relying on that party to understand and implement good security measures, including (of course) SPF. ____________________________________________________________________ All told, SPF represents a diminution of flexibility and convenience in the name of reducing spam. It may be a good solution given what we have to work with, but it's still going to be annoying to find that, for example, smtp.mac.com is down and there's no way to use an alternate SMTP relay (such as your home ISP's outbound relay). ____________________________________________________________________ Chris Buxton Men & Mice Customer Support Specialist Making DNS Easy At 8:11 AM -0400 8/16/04, Joe D'Andrea wrote: >At 8:14 PM -0500 3/26/04, codger wrote: >>Hmmm. This is what I have. Why do you have two entries, Chris? Is >>there something I'm missing here? Do I need to have TXT records for >>all virtual domains? (I didn't think so from the docs on SPF that I >>read from pobox.com some time back.) > >Where do you see in the docs that you wouldn't need TXT(SPF) records >for all virtual domains? > >I would think that one would need them. In fact I just added >TXT(SPF) records for the domain that my main mail server is in >(west21.com). I tested it with e-mail addresses in the main domain >name (joedan@west21.com) and the SPF tests "passed". Then I tested >using addresses in client domains that originate from the same >server and are sent through the same MX. They all were >"Received-SPF: unknown (no rule found)" > >So we're adding SPF records to every domain we host DNS and/or mail for. > >~joe

Messages In This Thread: spf support in QuickDNS? by Paul Willis on Mar 26, 2004 at 4:03:17 pm Re: spf support in QuickDNS? by Len Conrad on Mar 26, 2004 at 4:08:08 pm Re: spf support in QuickDNS? by Paul Willis on Mar 26, 2004 at 4:20:10 pm Re: spf support in QuickDNS? by Men & Mice Support on Mar 26, 2004 at 4:23:02 pm Re: spf support in QuickDNS? by codger on Mar 26, 2004 at 5:15:12 pm Re: spf support in QuickDNS? by Men & Mice Support on Mar 26, 2004 at 5:33:48 pm Re: spf support in QuickDNS? by Joe D''Andrea on Aug 16, 2004 at 5:13:56 am Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 9:54:00 am Re: spf support in QuickDNS? by Simon Wright on Aug 16, 2004 at 10:22:01 am Re: spf support in QuickDNS? by Joe D''Andrea on Aug 16, 2004 at 10:55:15 am Re: spf support in QuickDNS? by Simon Wright on Aug 16, 2004 at 11:31:58 am Re: spf support in QuickDNS? by John Dobbin on Aug 16, 2004 at 11:40:32 am Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 5:21:19 pm Re: spf support in QuickDNS? by Codger on Aug 16, 2004 at 6:37:46 pm Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 8:59:21 pm Re: spf support in QuickDNS? by admin@gippy.net on Aug 16, 2004 at 9:38:35 pm Re: spf support in QuickDNS? by admin@gippy.net on Aug 16, 2004 at 9:46:48 pm