Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

More detail on subdomains

  

 
SPF discuss RSS feed   Index | Next | Previous | View Threaded


jmarcus at edhance

Feb 12, 2010, 11:24 AM

Post #1 of 6 (1706 views)
Permalink
More detail on subdomains
Yesterday I changed completely our SPF record to -all from ~all. I started reading the common mistakes section of the website and wasn't completely sure about this part

"Publish null SPF records for your domains that don't send mail
Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:

example.com. IN TXT "v=spf1 a:mail.example.com -all"
mail.example.com. IN TXT "v=spf1 a -all"
www.example.com. IN TXT "v=spf1 -all"
"

Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?


I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from username [at] www, do I just add this:
www.edhance.com IN TXT "v=spf1 -all"

thanks,
James





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


gcerullo at pixelpointstudios

Feb 12, 2010, 11:41 AM

Post #2 of 6 (1661 views)
Permalink
Re: More detail on subdomains [In reply to]
On 12-Feb-10, at 2:24 PM, James R. Marcus wrote:

> Yesterday I changed completely our SPF record to -all from ~all. I
> started reading the common mistakes section of the website and
> wasn't completely sure about this part
>
> "Publish null SPF records for your domains that don't send mail
> Once you've protected your mail sending domains with SPF, if someone
> is trying to spoof you, then first thing they will try is to spoof
> your non-mail sending domains. Publishing "v=spf1 -all" says that a
> domain sends no mail. As an example, you might publish:
>
> example.com. IN TXT "v=spf1 a:mail.example.com -all"
> mail.example.com. IN TXT "v=spf1 a -all"
> www.example.com. IN TXT "v=spf1 -all"
> "
>
> Are there a list of common subdomains I'm supposed to add TXT
> records for or just just simple ones I can think of?

No! What you want to do is create an SPF policy for any domain/host
name that has an 'A' record only!

For example, if you don't have the host name, 'ftp.edhance.com' then
why created a SPF policy for it? Just because 'ftp' is common doesn't
mean you create a policy for it.

> I have shutdown SMTP access to all but my to relay servers on the
> network. But if I don't want email to come from username [at] www
> , do I just add this:
> www.edhance.com IN TXT "v=spf1 -all"

Since 'www.edhance.com' and 'edhance.com' both point to the IP address
67.110.143.116 why have an 'A' record for 'www.edhance.com'? You could
have covered this with a 'C NAME' record and not worried about
providing a SPF policy for it. But this touches on DNS configuration
and is beyond the scope of this mail list!


>
> thanks,
> James

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at alandoherty

Feb 12, 2010, 12:09 PM

Post #3 of 6 (1655 views)
Permalink
Re: More detail on subdomains [In reply to]
At 19:24 12/02/2010 Friday, James R. Marcus wrote:
>Yesterday I changed completely our SPF record to -all from ~all. I started reading the common mistakes section of the website and wasn't completely sure about this part
>
>"Publish null SPF records for your domains that don't send mail
>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:
>
>example.com. IN TXT "v=spf1 a:mail.example.com -all"
>mail.example.com. IN TXT "v=spf1 a -all"
>www.example.com. IN TXT "v=spf1 -all"
>"
>
>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?

no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
{any domains without an A or MX record will already be rejected by most mail-recievers}

but i would point out from looking at you mail to the list that your server actually sends with the name
relay1.edhance.com (relay1.edhance.com [.67.110.143.100

so you MUST have
relay1.edhance.com. IN TXT "v=spf1 a -all"
or
relay1.edhance.com. IN TXT "v=spf1 ip4:67.110.143.100 -all"

if you want to be kinder to us all and save us the extra lookups

if you have a second machine sending as mail.edhance.com the above is fine IF not you can set mail.edhance.com to v=spf1 -all



>I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from username [at] www, do I just add this:
>www.edhance.com IN TXT "v=spf1 -all"

exactly {this dosn't stop mail comming from xxx [at] domai, it just enables receivers to tell it is obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}


>thanks,
>James
>
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


jmarcus at edhance

Feb 12, 2010, 12:38 PM

Post #4 of 6 (1649 views)
Permalink
Re: More detail on subdomains [In reply to]
Okay
I'll set an SPF to tell the world not accept email from @www.edhance.com with www.edhance.com<http://www.edhance.com> IN TXT "v=spf1 -all" correct?
The part that I'm not quite clear on is the part with the relay hosts. The relay hosts relay1.edhance.com<http://relay1.edhance.com> and relay0.edhance.com<http://relay0.edhance.com> don't have txt record but they are in the edhance.com<http://edhance.com> TXT record. To be extra safe should I add a txt record for each of the relays like this: relay1.edhance.com<http://relay1.edhance.com>. IN TXT "v=spf1 ip4:67.110.143.100 -all" & relay0.edhance.com<http://relay0.edhance.com>. IN TXT "v=spf1 ip4:67.110.143.99 -all"?

Thanks,
James





On Feb 12, 2010, at 3:09 PM, alan wrote:

At 19:24 12/02/2010 Friday, James R. Marcus wrote:
Yesterday I changed completely our SPF record to -all from ~all. I started reading the common mistakes section of the website and wasn't completely sure about this part

"Publish null SPF records for your domains that don't send mail
Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:

example.com<http://example.com>. IN TXT "v=spf1 a:mail.example.com -all"
mail.example.com<http://mail.example.com>. IN TXT "v=spf1 a -all"
www.example.com<http://www.example.com>. IN TXT "v=spf1 -all"
"

Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?

no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
{any domains without an A or MX record will already be rejected by most mail-recievers}

but i would point out from looking at you mail to the list that your server actually sends with the name
relay1.edhance.com<http://relay1.edhance.com> (relay1.edhance.com<http://relay1.edhance.com> [67.110.143.100

so you MUST have
relay1.edhance.com<http://relay1.edhance.com>. IN TXT "v=spf1 a -all"
or
relay1.edhance.com<http://relay1.edhance.com>. IN TXT "v=spf1 ip4:67.110.143.100 -all"

if you want to be kinder to us all and save us the extra lookups

if you have a second machine sending as mail.edhance.com<http://mail.edhance.com> the above is fine IF not you can set mail.edhance.com<http://mail.edhance.com> to v=spf1 -all



I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from username [at] www<mailto:username [at] www>, do I just add this:
www.edhance.com<http://www.edhance.com> IN TXT "v=spf1 -all"

exactly {this dosn't stop mail comming from xxx [at] domai, it just enables receivers to tell it is obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}


thanks,
James





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

:: James R. Marcus | Director, IT Operations
:: Edhance | jmarcus [at] edhance<x-msg://103/jmarcus [at] edhance>
:: v: 617-475-5360 | m: 914-772-8533
:: web: www.edhance.com<http://www.edhance.com/>




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at alandoherty

Feb 12, 2010, 1:40 PM

Post #5 of 6 (1653 views)
Permalink
Re: More detail on subdomains [In reply to]
At 20:38 12/02/2010 Friday, James R. Marcus wrote:
>Okay
>I'll set an SPF to tell the world not accept email from @www.edhance.com with <http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all" correct?

yup

>The part that I'm not quite clear on is the part with the relay hosts. The relay hosts <http://relay1.edhance.com>relay1.edhance.com and <http://relay0.edhance.com>relay0.edhance.com don't have txt record but they are in the <http://edhance.com>edhance.com TXT record. To be extra safe should I add a txt record for each of the relays like this: <http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 ip4:67.110.143.100 -all" & <http://relay0.edhance.com>relay0.edhance.com. IN TXT "v=spf1 ip4:67.110.143.99 -all"?

yes as spf is used for 2 things
to verify the sender-envelope ie user [at] edhance {the spf/txt record for edhance.com}
and spf is used to verify the HELO greeting from your servers {the spf/txt record for relay0.edhance.com and relay1.edhance.com}

additionally as mail.edhance.com is used for nether it should not have "v=spf1 a -all" it should have "v=spf1 -all" like www.edhance.com and any other existing dns record with an A not used as a sending envelope or a helo greeting


>Thanks,
>James
>
>
>
>
>
>On Feb 12, 2010, at 3:09 PM, alan wrote:
>
>>At 19:24 12/02/2010 Friday, James R. Marcus wrote:
>>>Yesterday I changed completely our SPF record to -all from ~all. I started reading the common mistakes section of the website and wasn't completely sure about this part
>>>
>>>"Publish null SPF records for your domains that don't send mail
>>>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:
>>>
>>><http://example.com>example.com. IN TXT "v=spf1 a:mail.example.com -all"
>>><http://mail.example.com>mail.example.com. IN TXT "v=spf1 a -all"
>>><http://www.example.com>www.example.com. IN TXT "v=spf1 -all"
>>>"
>>>
>>>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?
>>
>>no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
>>{any domains without an A or MX record will already be rejected by most mail-recievers}
>>
>>but i would point out from looking at you mail to the list that your server actually sends with the name
>><http://relay1.edhance.com>relay1.edhance.com (<http://relay1.edhance.com>relay1.edhance.com [67.110.143.100
>>
>>so you MUST have
>><http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 a -all"
>>or
>><http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 ip4:67.110.143.100 -all"
>>
>>if you want to be kinder to us all and save us the extra lookups
>>
>>if you have a second machine sending as <http://mail.edhance.com>mail.edhance.com the above is fine IF not you can set <http://mail.edhance.com>mail.edhance.com to v=spf1 -all
>>
>>
>>
>>>I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from <mailto:username [at] www>username [at] www, do I just add this:
>>><http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all"
>>
>>exactly {this dosn't stop mail comming from xxx [at] domai, it just enables receivers to tell it is obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}
>>
>>
>>>thanks,
>>>James
>>>
>>>
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>
>:: James R. Marcus | Director, IT Operations
>:: Edhance | <x-msg://103/jmarcus [at] edhance>jmarcus [at] edhance
>:: v: 617-475-5360 | m: 914-772-8533
>:: web: <http://www.edhance.com/>www.edhance.com
>
>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org
>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
><https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at alandoherty

Feb 12, 2010, 2:22 PM

Post #6 of 6 (1651 views)
Permalink
Re: More detail on subdomains [In reply to]
At 20:38 12/02/2010 Friday, James R. Marcus wrote:
>Okay
>I'll set an SPF to tell the world not accept email from @www.edhance.com with <http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all" correct?
>The part that I'm not quite clear on is the part with the relay hosts. The relay hosts <http://relay1.edhance.com>relay1.edhance.com and <http://relay0.edhance.com>relay0.edhance.com don't have txt record but they are in the <http://edhance.com>edhance.com TXT record. To be extra safe should I add a txt record for each of the relays like this: <http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 ip4:67.110.143.100 -all" & <http://relay0.edhance.com>relay0.edhance.com. IN TXT "v=spf1 ip4:67.110.143.99 -all"?
>
>Thanks,
>James

now from looking at your actual spf records {as now i see the bit quoted was for example.com not edhance.com
edhance.com IN TXT v=spf1 mx ip4:67.110.143.99 ip4:64.68.200.53 ip4:74.203.49.89 ip4:67.110.143.100 ip4:174.143.247.222 -all
relay0.edhance.com

i see you need to remove the mx or at least move it to after the ip4 records
{ALWAYS,ALWAYS order correctly ip4{fastest 0 extra lookups} then A{1 lookup} then only if necessary mx{4 in your case}}
if you know your ip's mx is never needed or useful {and in your case mx == ip4:67.110.143.99 ip4:67.110.143.100 ip4:64.68.200.53}

so i would rewrite your spf as follows given the available information
edhance.com IN TXT v=spf1 ip4:67.110.143.99 ip4:67.110.143.100 ip4:74.203.49.89 ip4:174.143.247.222 ip4:64.68.200.53 a:smtp2.easydns.com -all

i included the ip4 and a for smtp2 so while it lives at that ip it works fastest by matching ip4 but also if they move it, it continues to work by a:

also in your ip list i see 67.110.143.99 relay0 & 67.110.143.100 relay1
but who/what are the other 3 64.68.200.53 [smtp2.easydns.com from your mx records] 74.203.49.89 74.143.247.222 and what names might they use to helo greet? and do you actually send mail out via those servers? as inbound MX's are not often outbound relays?

we can always test by sending me a mail via each to see?






>On Feb 12, 2010, at 3:09 PM, alan wrote:
>
>>At 19:24 12/02/2010 Friday, James R. Marcus wrote:
>>>Yesterday I changed completely our SPF record to -all from ~all. I started reading the common mistakes section of the website and wasn't completely sure about this part
>>>
>>>"Publish null SPF records for your domains that don't send mail
>>>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:
>>>
>>><http://example.com>example.com. IN TXT "v=spf1 a:mail.example.com -all"
>>><http://mail.example.com>mail.example.com. IN TXT "v=spf1 a -all"
>>><http://www.example.com>www.example.com. IN TXT "v=spf1 -all"
>>>"
>>>
>>>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?
>>
>>no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
>>{any domains without an A or MX record will already be rejected by most mail-recievers}
>>
>>but i would point out from looking at you mail to the list that your server actually sends with the name
>><http://relay1.edhance.com>relay1.edhance.com (<http://relay1.edhance.com>relay1.edhance.com [67.110.143.100
>>
>>so you MUST have
>><http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 a -all"
>>or
>><http://relay1.edhance.com>relay1.edhance.com. IN TXT "v=spf1 ip4:67.110.143.100 -all"
>>
>>if you want to be kinder to us all and save us the extra lookups
>>
>>if you have a second machine sending as <http://mail.edhance.com>mail.edhance.com the above is fine IF not you can set <http://mail.edhance.com>mail.edhance.com to v=spf1 -all
>>
>>
>>
>>>I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from <mailto:username [at] www>username [at] www, do I just add this:
>>><http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all"
>>
>>exactly {this dosn't stop mail comming from xxx [at] domai, it just enables receivers to tell it is obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}
>>
>>
>>>thanks,
>>>James
>>>
>>>
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>
>:: James R. Marcus | Director, IT Operations
>:: Edhance | <x-msg://103/jmarcus [at] edhance>jmarcus [at] edhance
>:: v: 617-475-5360 | m: 914-772-8533
>:: web: <http://www.edhance.com/>www.edhance.com
>
>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org
>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
><https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.