Mailing List Archive: SPF: Help

Setting up SPF record(s) for the first time

Index | Next | Previous | View Threaded

drsteve at rna

Apr 11, 2008, 11:39 AM

Post #1 of 5 (367 views)
Permalink

Setting up SPF record(s) for the first time

Greetings, and thanks in advance. We're setting up SPF records for the
following situation, and we'd appreciate any advice/guidance you can give.

(Please ignore all TTL inconsistancy below.)

- All of our machines are on the 169.229.244.128/26 subnet.

- We have one outbound mail server, canonical name lego.berkeley.edu
(i.e. this is the machine's hostname, and we have a A<->PTR record
pair for it):

lego.Berkeley.EDU. 3600 IN A 169.229.244.134
134.244.229.169.in-addr.arpa. 86400 IN PTR lego.Berkeley.EDU.

- lego has multiple other A records, each of which has zero or more
CNAME records that point to it, any & all of which may (potentially)
appear in the envelope (i.e. the "Return-Path:" header - is this in
fact the part of the envelope we care about?)

Thus, for example:

mosaic.Berkeley.EDU. 3600 IN CNAME lego.berkeley.edu.

bsmb.Berkeley.EDU. 3600 IN A 169.229.244.134
bsmbmail.Berkeley.EDU. 3600 IN CNAME bsmb.Berkeley.EDU.

etc.

Thus: mail can appear to come from 'user[at]lego.berkeley.edu',
or 'user[at]mosaic.berkeley.edu', or 'user[at]bsmb.berkeley.edu' or
'user[at]bsmbmail.berkeley.edu'.

- We also have other machines with A<->PTR pairs, e.g.:

everest.berkeley.edu. 3600 IN A 169.229.244.163
163.244.229.169.in-addr.arpa. 86400 IN PTR everest.Berkeley.EDU.

that send mail out through lego, the name(s) of which can appear in
the envelope, i.e. mail can come from 'user[at]everest.berkeley.edu'.

- Each of the A records in our environment has three MX records associated
with it, e.g.:

everest.berkeley.edu. 3600 IN MX 5 lego.berkeley.edu.
everest.berkeley.edu. 3600 IN MX 25 wintermute.berkeley.edu.
everest.berkeley.edu. 3600 IN MX 50 fractal.berkeley.edu.

Neither wintermute nor fractal act as mail servers at the moment,
nor are there plans for them to in the near- to medium-term future
(fractal never will).

So. We are thining that we need something like *all* of the following:

lego.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.128/26 -all"
mosaic.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.128/26 -all"
bsmb.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.128/26 -all"
bsmbmail.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.128/26 -all"
everest.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.128/26 -all"
etc.

Is this correct? Also: do we want '-all', or '~all', or something else?

--
Steve Lane
System, Network and Security Administrator
Doudna Lab
Biomolecular Structure and Mechanism Group
UC Berkeley

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

wendy.honeycutt at sonicfog

Apr 11, 2008, 12:30 PM

Post #2 of 5 (346 views)
Permalink

RE: Setting up SPF record(s) for the first time [In reply to]

>- All of our machines are on the 169.229.244.128/26 subnet.
>
>- We have one outbound mail server, canonical name lego.berkeley.edu
> (i.e. this is the machine's hostname, and we have a A<->PTR record
> pair for it):
>

If lego.berkeley.edu is the ONLY outbound mail server then you can use
"v=spf1 ip4: 169.229.244.134 ~all" to test

When you have tested it to your satisfaction change the "~all" (softfail) to an "-all" (Fail)

The same record can be used for each of the email domains you listed.

Adding the same spf record to lego.berkeley.edu will give you helo/ehlo validity.

HTH

Wendy Honeycutt
SonicFog

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

drsteve at rna

Apr 11, 2008, 1:06 PM

Post #3 of 5 (350 views)
Permalink

Re: Setting up SPF record(s) for the first time [In reply to]

On Fri, Apr 11, 2008 at 03:30:37PM -0400, SonicFog wrote:
>
>
> >- All of our machines are on the 169.229.244.128/26 subnet.
> >
> >- We have one outbound mail server, canonical name lego.berkeley.edu
> > (i.e. this is the machine's hostname, and we have a A<->PTR record
> > pair for it):
>
> If lego.berkeley.edu is the ONLY outbound mail server then you can use
> "v=spf1 ip4: 169.229.244.134 ~all" to test
^ space after 'ip4:', or no space, or doesn't matter?

> When you have tested it to your satisfaction change the "~all"
> (softfail) to an "-all" (Fail)

Ok - got it.

> The same record can be used for each of the email domains you listed.

I'm confused: lego *is* our only outbound mail server, but any of the
addresses I listed can show up in the message envelope (we masquerade
about 50-60 '<thing>.berkeley.edu' domains).

So: I only need one record for lego, even though 'lego.berkeley.edu'
may not show up in the envelope?

> Adding the same spf record to lego.berkeley.edu will give you helo/ehlo validity.

Meaning: Adding this record:

lego.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.134 ~all"

will give helo/ehlo validity?

> HTH

It does - thanks very much.

--
Steve Lane
System, Network and Security Administrator
Doudna Lab
Biomolecular Structure and Mechanism Group
UC Berkeley

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

steve at teamITS

Apr 11, 2008, 2:23 PM

Post #4 of 5 (350 views)
Permalink

RE: Setting up SPF record(s) for the first time [In reply to]

Steve Lane wrote on 4/11/2008 3:06:44 PM:

> I'm confused: lego *is* our only outbound mail server, but any of the
> addresses I listed can show up in the message envelope (we masquerade
> about 50-60 '<thing>.berkeley.edu' domains).

SPF boils down to finding whether the IP of the sending server
is permitted. Are all these hostnames using the same IP or different
IPs? If the same IP, you should only list it once.

>> Adding the same spf record to lego.berkeley.edu will give you
helo/ehlo
> validity.
>
> Meaning: Adding this record:
>
> lego.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.134
~all"
>
> will give helo/ehlo validity?

Yes. You can use SPF for the main berkeley.edu domain which
handles any @berkeley.edu mail, and also can protect the HELO name or
any other domains like something[at]alum.berkeley.edu or whatever (by
setting an SPF record for alum.berkeley.edu).

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- One rm -rf / can ruin your whole day.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

drsteve at rna

Apr 11, 2008, 3:15 PM

Post #5 of 5 (347 views)
Permalink

Re: Setting up SPF record(s) for the first time [In reply to]

On Fri, Apr 11, 2008 at 04:38:10PM -0400, SonicFog wrote:
> The only thing you are declaring to the outside world in an SPF record is what Mail Server(s)
> Is/are going to deliver the email for your domains. You have stated that lego.berkeley.edu
> is the outbound mail server and that is what you declare in your record.
>
> The list received your emails as follows:
>
> Received: from lego.berkeley.edu (lego.Berkeley.EDU [169.229.244.134]) by
> apex.listbox.com (Postfix) with ESMTP id 11D0E63 for
> <spf-help[at]v2.listbox.com>; Fri, 11 Apr 2008 16:07:24 -0400 (EDT)

Got it.

> >So: I only need one record for lego, even though 'lego.berkeley.edu'
> >may not show up in the envelope?
> >
> >> Adding the same spf record to lego.berkeley.edu will give you helo/ehlo validity.
> >
> >Meaning: Adding this record:
> >
> > lego.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.134 ~all"
> >
> >will give helo/ehlo validity?
>
> If a receiving server checks helo/ehlo your record will match (pass) giving it an
> spf record.
>
> Just be sure to change the the tilde to a dash when you are through testing.

Will do - thanks much.

On Fri, Apr 11, 2008 at 04:23:16PM -0500, Steve Yates wrote:
> SPF boils down to finding whether the IP of the sending server
> is permitted. Are all these hostnames using the same IP or different
> IPs? If the same IP, you should only list it once.

Got it.

> >> Adding the same spf record to lego.berkeley.edu will give you
> helo/ehlo
> > validity.
> >
> > Meaning: Adding this record:
> >
> > lego.berkeley.edu. 86400 IN TXT "v=spf1 ip4:169.229.244.134
> ~all"
> >
> > will give helo/ehlo validity?
>
> Yes. You can use SPF for the main berkeley.edu domain which
> handles any @berkeley.edu mail, and also can protect the HELO name or
> any other domains like something[at]alum.berkeley.edu or whatever (by
> setting an SPF record for alum.berkeley.edu).

Got it - thanks much.

--
Steve Lane
System, Network and Security Administrator
Doudna Lab
Biomolecular Structure and Mechanism Group
UC Berkeley

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com