Search Again: Re: spf support in QuickDNS? From: Simon Wright Date: Monday, August 16, 2004 Time: 10:22:01 am Chris, valuable information, thanks. As a final datum, can you post the actual contents of your data record as shown in QuickDNS Manager? I'm a bit confused by the "SPF version" and the "-all" bits. What does a record or records actually look like? Thanks. Simon On Aug 16, 2004, at 12:50 PM, Men & Mice Support wrote: > Of course you need an SPF record for every "virtual" domain. Think of > an SPF record as an MX record for sending mail, instead of for > receiving it. Any domain that sends email (i.e. that has a user that > sends email) should have an SPF record (if you're choosing to > participate in the SPF test roll-out at all). > ____________________________________________________________________ > > For those who are not yet familiar, an SPF record has the following > format: > > Record name = a domain name that you want to use in an email address, > after the @ symbol. > > Record type = TXT > > Record data = an SPF-formatted string of space-delimited identifiers. > The first identifier gives the SPF version. The last is usually > "-all". The ones in between provide means of identifying the mail > servers that are allowed to send (relay) mail for the domain name in > question. Types of identifiers are below. > > a > This means that the record's name should be queried for A records to > find allowed hosts. > > a:smtp.menandmice.is > This explicitly identifies the Men & Mice outbound mail relay. > > mx > This means that the record's name should be queried for MX records, > and the mailhosts listed therein should be looked up, to find allowed > hosts. > > mx:menandmice.is > This says that any host listed in an MX record named menandmice.is is > permitted to send mail for this domain. > > ptr > Bad idea. Don't use this. It's possible to forge a PTR record, so > security based on PTR records is hardly secure. Instead, use the ip4 > identifier to specify a subnet. > > ip4:192.168.1.1 > This address can send mail for the domain name. > > ip4:192.168.1.0/24 > Any machine on this subnet can send mail for the domain name. Use only > for subnets you feel you can trust, since if someone malicious can put > a machine on the physical network (through any means at all, including > sneaking in a wifi- and ethernet-enabled PDA running Linux to act as a > gateway), they can then send mail from your domain. > > include:menandmice.is > Look for SPF records named menandmice.is and allow any host that's > allowed for that domain. Use sparingly, but this is useful if you ever > relay mail through your ISP or NSP. In such cases, you're relying on > that party to understand and implement good security measures, > including (of course) SPF. > ____________________________________________________________________ > > All told, SPF represents a diminution of flexibility and convenience > in the name of reducing spam. It may be a good solution given what we > have to work with, but it's still going to be annoying to find that, > for example, smtp.mac.com is down and there's no way to use an > alternate SMTP relay (such as your home ISP's outbound relay). > ____________________________________________________________________ > Chris Buxton Men & Mice > Customer Support Specialist Making DNS Easy > > At 8:11 AM -0400 8/16/04, Joe D'Andrea wrote: >> At 8:14 PM -0500 3/26/04, codger wrote: >>> Hmmm. This is what I have. Why do you have two entries, Chris? Is >>> there something I'm missing here? Do I need to have TXT records for >>> all virtual domains? (I didn't think so from the docs on SPF that I >>> read from pobox.com some time back.) >> >> Where do you see in the docs that you wouldn't need TXT(SPF) records >> for all virtual domains? >> >> I would think that one would need them. In fact I just added TXT(SPF) >> records for the domain that my main mail server is in (west21.com). I >> tested it with e-mail addresses in the main domain name >> (joedan@west21.com) and the SPF tests "passed". Then I tested using >> addresses in client domains that originate from the same server and >> are sent through the same MX. They all were "Received-SPF: unknown >> (no rule found)" >> >> So we're adding SPF records to every domain we host DNS and/or mail >> for. >> >> ~joe > > >

Messages In This Thread: spf support in QuickDNS? by Paul Willis on Mar 26, 2004 at 4:03:17 pm Re: spf support in QuickDNS? by Len Conrad on Mar 26, 2004 at 4:08:08 pm Re: spf support in QuickDNS? by Paul Willis on Mar 26, 2004 at 4:20:10 pm Re: spf support in QuickDNS? by Men & Mice Support on Mar 26, 2004 at 4:23:02 pm Re: spf support in QuickDNS? by codger on Mar 26, 2004 at 5:15:12 pm Re: spf support in QuickDNS? by Men & Mice Support on Mar 26, 2004 at 5:33:48 pm Re: spf support in QuickDNS? by Joe D''Andrea on Aug 16, 2004 at 5:13:56 am Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 9:54:00 am Re: spf support in QuickDNS? by Simon Wright on Aug 16, 2004 at 10:22:01 am Re: spf support in QuickDNS? by Joe D''Andrea on Aug 16, 2004 at 10:55:15 am Re: spf support in QuickDNS? by Simon Wright on Aug 16, 2004 at 11:31:58 am Re: spf support in QuickDNS? by John Dobbin on Aug 16, 2004 at 11:40:32 am Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 5:21:19 pm Re: spf support in QuickDNS? by Codger on Aug 16, 2004 at 6:37:46 pm Re: spf support in QuickDNS? by Men & Mice Support on Aug 16, 2004 at 8:59:21 pm Re: spf support in QuickDNS? by admin@gippy.net on Aug 16, 2004 at 9:38:35 pm Re: spf support in QuickDNS? by admin@gippy.net on Aug 16, 2004 at 9:46:48 pm