Mailing List Archive: SPF: Help

Help confirm my understanding of syntax ( or lack of understanding )

Index | Next | Previous | View Threaded

Joey at Web56

Apr 29, 2008, 3:22 PM

Post #1 of 6 (353 views)
Permalink

Help confirm my understanding of syntax ( or lack of understanding )

Hello All,

I just want to make sure I am clear on how this works as I am running into
more spam fighting issues.

This would say for this domain if it comes from this IP then it's good,
otherwise REJECT it.

Client_domain.com. IN TXT "v=spf1 ip4:123.231.21.1 -all"

This says if it's from the IP listed OR the server called ispserver.net it's
good otherwise REJECT.

Client_domain.com. IN TXT "v=spf1 ip4: 123.231.21.1 mx
include:ispserver.net -all"

This says if its from clients mailserver mail.Client_domain.com, or the isp
servers mail. ispserver.net or mail2. ispserver.net.net that it's good.

Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com -all"

mail. ispserver.net. IN TXT "v=spf1 a -all"

mail2. ispserver.net.net. IN TXT "v=spf1 a -all"

Changing the -all to a ~all means warn only instead of fail.

Hoping I have done this correctly.

Thanks!

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Apr 29, 2008, 4:35 PM

Post #2 of 6 (342 views)
Permalink

Re: Help confirm my understanding of syntax ( or lack of understanding ) [In reply to]

On Tue, Apr 29, 2008 at 11:22 PM, Joey <Joey[at]web56.net> wrote:

http://www.openspf.org/SPF_Record_Syntax

I've stripped the spaces from your examples where they're
syntactically incorrect.

> This would say for this domain if it comes from this IP then it's good,
> otherwise REJECT it.
>
> Client_domain.com. IN TXT "v=spf1 ip4:123.231.21.1 -all"

Correct.

> This says if it's from the IP listed OR the server called ispserver.net it's
> good otherwise REJECT.
>
> Client_domain.com. IN TXT "v=spf1 ip4:123.231.21.1 mx
> include:ispserver.net -all"

Allow if it's from the IP listed
if it's from a MX for client_domain.com
or as specified by the record ispserver.net

http://www.openspf.org/SPF_Record_Syntax#include

If there is no SPF record ispserver.net then the entire record is in
error and mail from <user[at]client_domain.com> or from any host using
client_domain.com as it's HELO/EHLO value will be rejected.

> This says if its from clients mailserver mail.Client_domain.com, or the isp
> servers mail. ispserver.net or mail2. ispserver.net.net that it's good.
>
> Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com -all"

Allow from the MXs for domain client_domain.com
or from any IP address that mail.client_domain.com resolves to

> mail.ispserver.net. IN TXT "v=spf1 a -all"

Mail is never sent from <user[at]mail.ispserver.net>
Mail is never sent from a host using a HELO/EHLO string of mail.ispserver.net.

> mail2.ispserver.net.net. IN TXT "v=spf1 a -all"

Mail is never sent from <user[at]mail2.ispserver.net>
Mail is never sent from a host using a HELO/EHLO string of mail2.ispserver.net.

> Changing the -all to a ~all means warn only instead of fail.

Correct (though that's down to the client software to implement, not
all software follows the standards).

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

steve at teamITS

Apr 29, 2008, 4:52 PM

Post #3 of 6 (340 views)
Permalink

RE: Help confirm my understanding of syntax ( or lack of understanding ) [In reply to]

Rob MacGregor wrote on 4/29/2008 6:35:53 PM:

>> mail.ispserver.net. IN TXT "v=spf1 a -all"
>
> Mail is never sent from <user[at]mail.ispserver.net>
> Mail is never sent from a host using a HELO/EHLO string of mail.ispserver.net.
>
>> mail2.ispserver.net.net. IN TXT "v=spf1 a -all"
>
> Mail is never sent from <user[at]mail2.ispserver.net>
> Mail is never sent from a host using a HELO/EHLO string of mail2.ispserver.net.

I think you missed the "a" in the middle...it says that mail from <user[at]mail.ispserver.net> or the hostname mail.ispserver.net is only valid if coming from the server "mail.ispserver.net."

"v=spf1 -all" says that no mail comes from the given hostname.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Door: Something a cat wants to be on the other side of

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Apr 29, 2008, 11:18 PM

Post #4 of 6 (337 views)
Permalink

Re: Help confirm my understanding of syntax ( or lack of understanding ) [In reply to]

On Wed, Apr 30, 2008 at 12:52 AM, Steve Yates <steve[at]teamits.com> wrote:
>
> I think you missed the "a" in the middle...it says that mail from <user[at]mail.ispserver.net> or the hostname mail.ispserver.net is only valid if coming from the server "mail.ispserver.net."
>
> "v=spf1 -all" says that no mail comes from the given hostname.

That's what I get for posting when I should be asleep ;)

--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Joey at Web56

Apr 30, 2008, 5:27 AM

Post #5 of 6 (338 views)
Permalink

RE: Help confirm my understanding of syntax ( or lack of understanding ) [In reply to]

> >
> > Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com -all"
>
> Allow from the MXs for domain client_domain.com
> or from any IP address that mail.client_domain.com resolves to
>
> > mail.ispserver.net. IN TXT "v=spf1 a -all"
>
> Mail is never sent from <user[at]mail.ispserver.net>
> Mail is never sent from a host using a HELO/EHLO string of mail.ispserver.net.
>
> > mail2.ispserver.net.net. IN TXT "v=spf1 a -all"
>

OK being an ISP if I want to list that the Client_domain.com can send from our servers, I need to list both the clients if they have one and any others that may send mail from that domain ( web server ).
In order to accomplish this I am looking for the best, most efficient and most importantly correct way to do this.

Should I do this:
Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com -all"
"v=spf1 ptr: ispserver.net -all"

I am hoping this says, mail from the mail.clien_domain.com as well as any server that claims to be *.ispserver.net otherwise reject.

Also you mentioned if ispserver.net has no spf record it won't work, is this true in this case?

Thanks!

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Apr 30, 2008, 6:06 AM

Post #6 of 6 (336 views)
Permalink

Re: Help confirm my understanding of syntax ( or lack of understanding ) [In reply to]

On Wed, Apr 30, 2008 at 1:27 PM, Joey <Joey[at]web56.net> wrote:
>
> OK being an ISP if I want to list that the Client_domain.com can send from our servers, I need to list both the clients if they have one and any others that may send mail from that domain ( web server ).
> In order to accomplish this I am looking for the best, most efficient and most importantly correct way to do this.
>
> Should I do this:
>
> Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com -all"
> "v=spf1 ptr: ispserver.net -all"

You need to make that a single record, like:

Client_domain.com. IN TXT "v=spf1 mx a:mail.Client_domain.com
ptr:ispserver.net -all"

Without the extraneous spaces you keep inserting ;)

> I am hoping this says, mail from the mail.clien_domain.com as well as any server that claims to be *.ispserver.net otherwise reject.

Please see http://www.openspf.org/SPF_Record_Syntax for details (that
is, you really shouldn't use ptr if you have any other option). The
most efficient way is to list only IP addresses or ranges.

The record says that mail can come from:

The MX host(s) for Client_domain.com
The host mail.Client_domain.com
Any host that has a DNS name ending in ispserver.net

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com