Mailing List Archive: SPF: Help

Newbie questions

Index | Next | Previous | View Threaded

Nathan.Roberts at weastec

Aug 2, 2004, 10:24 AM

Post #1 of 15 (1726 views)
Permalink

Newbie questions

I'm trying to get a SPF record setup for my company. I'm having some
difficulties though. I'm stuck on the second question!!

This wizard found 4 names for weastec.com's MX servers.
MX servers receive mail for weastec.com.
Do they also send mail from weastec.com?

We only have 1 mail server here. What are these other names/servers?
Should I be concerned with this? Thanks!

Nathan Roberts
Systems Analyst
Weastec Inc.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

spf at kitterman

Aug 2, 2004, 10:33 AM

Post #2 of 15 (1716 views)
Permalink

RE: Newbie questions [In reply to]

> -----Original Message-----
> From: owner-spf-help[at]v2.listbox.com
> [mailto:owner-spf-help[at]v2.listbox.com]On Behalf Of
> Nathan.Roberts[at]weastec.com
> Sent: Monday, August 02, 2004 1:24 PM
> To: spf-help[at]v2.listbox.com
> Subject: [spf-help] Newbie questions
>
>
> I'm trying to get a SPF record setup for my company. I'm having some
> difficulties though. I'm stuck on the second question!!
>
>
>
>
> This wizard found 4 names for weastec.com's MX servers.
>
> MX servers receive mail for weastec.com.
>
> Do they also send mail from weastec.com?
>
>
>
> We only have 1 mail server here. What are these other
> names/servers?
> Should I be concerned with this? Thanks!
>
> Nathan Roberts
> Systems Analyst
> Weastec Inc.
>
Well,

You definitely want to get it right. If you go on and finish out the wizard
it goes on to say:

This wizard found 4 names for the MX servers for weastec.com:
68-23-93-3.ded.ameritech.net, mail-backup.rcsntx.swbell.net, mail, and
smtp-relay.swbell.net.
(A single machine may go by more than one hostname. All of them are shown.)
The servers behind those names are allowed to send mail from weastec.com.

Using Dig-It,

http://us.mirror.menandmice.com/cgi-bin/DoDig?host=&domain=weastec.com&type=
MX&recur=on

I see that you have at least one backup MX defined:

;; ANSWERS:
weastec.com. 7200 MX 100 smtp-relay.swbell.net.
weastec.com. 7200 MX 10 mail.weastec.com.

So, I believe that the 3 server names you weren't expecting are related to
your backup MX.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

spf at metro

Aug 2, 2004, 10:42 AM

Post #3 of 15 (1634 views)
Permalink

Re: Newbie questions [In reply to]

Hi,

The wizard is great, but it helps if you know what is going on behind
it. If you only have 1 mail server (i assume you mean '1 outgoing mail
server'), specifying that single server in your spf record is all you
have to do. If the mail server is on an ip that is the same as your
domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
want to play it conservative). If it is not, you could use "v=spf1
ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
of course.

Hope this helps,

Koen

On Mon, Aug 02, 2004 at 01:24:06PM -0400, Nathan.Roberts[at]weastec.com wrote:
> I'm trying to get a SPF record setup for my company. I'm having some
> difficulties though. I'm stuck on the second question!!
>
>
> This wizard found 4 names for weastec.com's MX servers.
> MX servers receive mail for weastec.com.
> Do they also send mail from weastec.com?
>
> We only have 1 mail server here. What are these other names/servers?
> Should I be concerned with this? Thanks!
>
>
>
>
>
> Nathan Roberts
> Systems Analyst
> Weastec Inc.
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

friz at godshell

Aug 2, 2004, 10:43 AM

Post #4 of 15 (1689 views)
Permalink

Re: Newbie questions [In reply to]

Nathan.Roberts[at]weastec.com wrote:

>I'm trying to get a SPF record setup for my company. I'm having some
>difficulties though. I'm stuck on the second question!!
>
>
> This wizard found 4 names for weastec.com's MX servers.
> MX servers receive mail for weastec.com.
> Do they also send mail from weastec.com?
>
> We only have 1 mail server here. What are these other names/servers?
> Should I be concerned with this? Thanks!
>
>
It looks like you have 2 MX records... One has a distance of 10 and is
weastec.com... The other is distance 100 and is smtp-relay.swbell.net...

>Nathan Roberts
>Systems Analyst
>Weastec Inc.
>
>

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz[at]godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

Nathan.Roberts at weastec

Aug 2, 2004, 11:33 AM

Post #5 of 15 (1660 views)
Permalink

Re: Newbie questions [In reply to]

Koen,
I do have only '1 outgoing mail server'. It is behind a firewall.
In fact, everything of mine should be behind this firewall to send mail.
So you are saying I can use "v=spf1 ip:68.23.93.3 ?all". What about all
the other questions, does this setting overide those? Also, what does all
this mean? Is there a document on this? Sorry, I'm not usually this
stupid but why can't I just say stuff from 68.23.93.3 is me, otherwise its
forged? Thanks!

Nathan Roberts

Koen Martens
<spf[at]metro.cx>
Sent by: To
owner-spf-help[at]v2 spf-help[at]v2.listbox.com
.listbox.com cc

Subject
08/02/2004 01:42 Re: [spf-help] Newbie questions
PM

Please respond to
spf-help[at]v2.listb
ox.com

Hi,

The wizard is great, but it helps if you know what is going on behind
it. If you only have 1 mail server (i assume you mean '1 outgoing mail
server'), specifying that single server in your spf record is all you
have to do. If the mail server is on an ip that is the same as your
domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
want to play it conservative). If it is not, you could use "v=spf1
ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
of course.

Hope this helps,

Koen

On Mon, Aug 02, 2004 at 01:24:06PM -0400, Nathan.Roberts[at]weastec.com wrote:
> I'm trying to get a SPF record setup for my company. I'm having some
> difficulties though. I'm stuck on the second question!!
>

>

> This wizard found 4 names for weastec.com's MX servers.

> MX servers receive mail for weastec.com.

> Do they also send mail from weastec.com?

>

> We only have 1 mail server here. What are these other names/servers?

> Should I be concerned with this? Thanks!

>

>
>
>
>
> Nathan Roberts
> Systems Analyst
> Weastec Inc.
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

spf at metro

Aug 2, 2004, 11:44 AM

Post #6 of 15 (1659 views)
Permalink

Re: Newbie questions [In reply to]

Hi Nathan,

You are not the first one to find the wizard a bit confusing :)

http://dev.spf.pobox.com/mechanisms.html provides an explanation of the
different mechanisms. If you want to say 'stuff from 68.23.93.3 is me'
then "v=spf1 ip4:68.23.93.3 ?all" is correct indeed (note that it's ip4,
not ip).

On a sidenote:

If you want to check spf records too, you better dig into your
secondary mx setup, since forgers are keen on secondary mx'es to dump
their loads since they assume these are not as well protected as are the
primaries.

Koen

On Mon, Aug 02, 2004 at 02:33:31PM -0400, Nathan.Roberts[at]weastec.com wrote:
> Koen,
> I do have only '1 outgoing mail server'. It is behind a firewall.
> In fact, everything of mine should be behind this firewall to send mail.
> So you are saying I can use "v=spf1 ip:68.23.93.3 ?all". What about all
> the other questions, does this setting overide those? Also, what does all
> this mean? Is there a document on this? Sorry, I'm not usually this
> stupid but why can't I just say stuff from 68.23.93.3 is me, otherwise its
> forged? Thanks!
>
> Nathan Roberts
>
>
>
>
> Koen Martens
> <spf[at]metro.cx>
> Sent by: To
> owner-spf-help[at]v2 spf-help[at]v2.listbox.com
> .listbox.com cc
>
> Subject
> 08/02/2004 01:42 Re: [spf-help] Newbie questions
> PM
>
>
> Please respond to
> spf-help[at]v2.listb
> ox.com
>
>
>
>
>
>
> Hi,
>
> The wizard is great, but it helps if you know what is going on behind
> it. If you only have 1 mail server (i assume you mean '1 outgoing mail
> server'), specifying that single server in your spf record is all you
> have to do. If the mail server is on an ip that is the same as your
> domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
> want to play it conservative). If it is not, you could use "v=spf1
> ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
> of course.
>
> Hope this helps,
>
> Koen
>
> On Mon, Aug 02, 2004 at 01:24:06PM -0400, Nathan.Roberts[at]weastec.com wrote:
> > I'm trying to get a SPF record setup for my company. I'm having some
> > difficulties though. I'm stuck on the second question!!
> >
>
> >
>
> > This wizard found 4 names for weastec.com's MX servers.
>
> > MX servers receive mail for weastec.com.
>
> > Do they also send mail from weastec.com?
>
> >
>
> > We only have 1 mail server here. What are these other names/servers?
>
> > Should I be concerned with this? Thanks!
>
> >
>
> >
> >
> >
> >
> > Nathan Roberts
> > Systems Analyst
> > Weastec Inc.
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

spf at kitterman

Aug 2, 2004, 11:50 AM

Post #7 of 15 (1650 views)
Permalink

RE: Newbie questions [In reply to]

What that says it that mail from ip:68.23.93.3 is legimitate. For all others
(?all) it's unknown. That might not be a bad place to start.

Eventually, you'll want to change to -all (everything else is a forgery),
but give yourself a chance to walk before you run. You may discover things,
for example if you mail a CNN article (as just one example) to someone, that
forges your e-mail address coming from the CNN server and that would fail an
SPF check. There are others. Give yourself a chance to make sure you know
what mail you consider legitimate will be left out of your SPF recrd's
definition of what is permitted before you switch to -all.

Here are the draft specs:

http://spf.pobox.com/rfcs.html

You should particularly concentrate on:

http://spf.pobox.com/spf-draft-200406.txt

because that's reflective of the design that is currently deployed.

Generally, you want your mail receivers covered as permitted senders because
they generate status messages in the name of your domain that you probably
don't want to be considered as forgeries. In your case though, there are
lots' of entities that no doubt have access to your backup MX
(smtp-relay.swbell.net). I don't think you want all of those people to be
permitted. I see two options:

1. Backup MX is rarely used, I can afford to leave that outside the
definition and some status messages may get lost.

2. Backup MX should be covered, but I don't want to open up to having
everyone with access to smtp-relay.swbell.net being able to send messages.
I think to solve this you would change your record to be:

"v=spf1 ip:68.23.93.3 ?mx ?all"

Your primary MX (and your SMTP server) still passes since it's at
ip:68.23.93.3 and your backup MX gets an unknown rather than a fail.
Obviously this doesn't matter now when you end your record in ?all, but it's
laying the foundation for eventually going -all.

Scott Kitterman

> -----Original Message-----
> From: owner-spf-help[at]v2.listbox.com
> [mailto:owner-spf-help[at]v2.listbox.com]On Behalf Of
> Nathan.Roberts[at]weastec.com
> Sent: Monday, August 02, 2004 2:34 PM
> To: spf-help[at]v2.listbox.com
> Subject: Re: [spf-help] Newbie questions
>
>
> Koen,
> I do have only '1 outgoing mail server'. It is behind a firewall.
> In fact, everything of mine should be behind this firewall to send mail.
> So you are saying I can use "v=spf1 ip:68.23.93.3 ?all". What about all
> the other questions, does this setting overide those? Also, what does all
> this mean? Is there a document on this? Sorry, I'm not usually this
> stupid but why can't I just say stuff from 68.23.93.3 is me, otherwise its
> forged? Thanks!
>
> Nathan Roberts
>
>
>
>
>
> Koen Martens
>
> <spf[at]metro.cx>
>
> Sent by:
> To
> owner-spf-help[at]v2 spf-help[at]v2.listbox.com
>
> .listbox.com
> cc
>
>
>
> Subject
> 08/02/2004 01:42 Re: [spf-help] Newbie
> questions
> PM
>
>
>
>
>
> Please respond to
>
> spf-help[at]v2.listb
>
> ox.com
>
> Hi,
>
> The wizard is great, but it helps if you know what is going on behind
> it. If you only have 1 mail server (i assume you mean '1 outgoing mail
> server'), specifying that single server in your spf record is all you
> have to do. If the mail server is on an ip that is the same as your
> domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
> want to play it conservative). If it is not, you could use "v=spf1
> ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
> of course.
>
> Hope this helps,
>
> Koen
>
> On Mon, Aug 02, 2004 at 01:24:06PM -0400,
> Nathan.Roberts[at]weastec.com wrote:
> > I'm trying to get a SPF record setup for my company. I'm having some
> > difficulties though. I'm stuck on the second question!!
> >
>
> >
>
> > This wizard found 4 names for weastec.com's MX servers.
>
> > MX servers receive mail for weastec.com.
>
> > Do they also send mail from weastec.com?
>
> >
>
> > We only have 1 mail server here. What are these other names/servers?
>
> > Should I be concerned with this? Thanks!
>
> >
>
> >
> >
> >
> >
> > Nathan Roberts
> > Systems Analyst
> > Weastec Inc.
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate
> your subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

Nathan.Roberts at weastec

Aug 2, 2004, 12:14 PM

Post #8 of 15 (1659 views)
Permalink

Re: Newbie questions [In reply to]

Koen,
I'm starting to get a grasp on this I think. Just a few more silly
questions. I looked at the site you listed. About the ip4 mechanism. It
states "If no prefix-length is given, /32 is assumed." Lets say I only want
1 ip address, maybe 2. What would I specify?

Also, where do these rules come from? Do they only relate to SPF? The
comment under ip6 sort of makes me nervous "Could someone with IPv6
experience please provide some input?". Does the author not even
understand it? Thanks!

Nathan Roberts
Systems Analyst
Weastec Inc.
(937)840-1190

Koen Martens
<spf[at]metro.cx>
Sent by: To
owner-spf-help[at]v2 spf-help[at]v2.listbox.com
.listbox.com cc

Subject
08/02/2004 02:44 Re: [spf-help] Newbie questions
PM

Please respond to
spf-help[at]v2.listb
ox.com

Hi Nathan,

You are not the first one to find the wizard a bit confusing :)

http://dev.spf.pobox.com/mechanisms.html provides an explanation of the
different mechanisms. If you want to say 'stuff from 68.23.93.3 is me'
then "v=spf1 ip4:68.23.93.3 ?all" is correct indeed (note that it's ip4,
not ip).

On a sidenote:

If you want to check spf records too, you better dig into your
secondary mx setup, since forgers are keen on secondary mx'es to dump
their loads since they assume these are not as well protected as are the
primaries.

Koen

On Mon, Aug 02, 2004 at 02:33:31PM -0400, Nathan.Roberts[at]weastec.com wrote:
> Koen,
> I do have only '1 outgoing mail server'. It is behind a firewall.
> In fact, everything of mine should be behind this firewall to send mail.
> So you are saying I can use "v=spf1 ip:68.23.93.3 ?all". What about all
> the other questions, does this setting overide those? Also, what does
all
> this mean? Is there a document on this? Sorry, I'm not usually this
> stupid but why can't I just say stuff from 68.23.93.3 is me, otherwise
its
> forged? Thanks!
>
> Nathan Roberts
>
>
>
>

> Koen Martens

> <spf[at]metro.cx>

> Sent by:
To
> owner-spf-help[at]v2 spf-help[at]v2.listbox.com

> .listbox.com
cc
>

>
Subject
> 08/02/2004 01:42 Re: [spf-help] Newbie questions

> PM

>

>

> Please respond to

> spf-help[at]v2.listb

> ox.com

>

>

>
>
>
>
> Hi,
>
> The wizard is great, but it helps if you know what is going on behind
> it. If you only have 1 mail server (i assume you mean '1 outgoing mail
> server'), specifying that single server in your spf record is all you
> have to do. If the mail server is on an ip that is the same as your
> domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
> want to play it conservative). If it is not, you could use "v=spf1
> ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
> of course.
>
> Hope this helps,
>
> Koen
>
> On Mon, Aug 02, 2004 at 01:24:06PM -0400, Nathan.Roberts[at]weastec.com
wrote:
> > I'm trying to get a SPF record setup for my company. I'm having some
> > difficulties though. I'm stuck on the second question!!
> >
>
> >
>
> > This wizard found 4 names for weastec.com's MX servers.
>
> > MX servers receive mail for weastec.com.
>
> > Do they also send mail from weastec.com?
>
> >
>
> > We only have 1 mail server here. What are these other names/servers?
>
> > Should I be concerned with this? Thanks!
>
> >
>
> >
> >
> >
> >
> > Nathan Roberts
> > Systems Analyst
> > Weastec Inc.
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

spf at metro

Aug 2, 2004, 12:23 PM

Post #9 of 15 (1660 views)
Permalink

Re: Newbie questions [In reply to]

On Mon, Aug 02, 2004 at 03:14:41PM -0400, Nathan.Roberts[at]weastec.com wrote:
> I'm starting to get a grasp on this I think. Just a few more silly
> questions. I looked at the site you listed. About the ip4 mechanism. It
> states "If no prefix-length is given, /32 is assumed." Lets say I only want
> 1 ip address, maybe 2. What would I specify?

If you want 1 ip adres, use /32 which corresponds to a netmask of
255.255.255.255. Since /32 is implicit, you can ommit it in the record.
If you want two, you'd probably have to specify /31.. If you need 4, use
/30, etc... This is standard CIDR notation..

> Also, where do these rules come from? Do they only relate to SPF? The
> comment under ip6 sort of makes me nervous "Could someone with IPv6
> experience please provide some input?". Does the author not even
> understand it? Thanks!

It's a coincidence you should ask, I was just doing some ipv6
experimenting over here :)

Anyway, I think the author was sort of in a rush when he wrote it, and
didn't have enough ipv6 experience to say anything usefull. It works
just the same as ip4, only the notation is different.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

randy at satxhomesearch

May 21, 2009, 11:09 AM

Post #10 of 15 (616 views)
Permalink

Re: Newbie Questions [In reply to]

Rob MacGregor wrote:
> On Thu, May 21, 2009 at 17:35, Randy <randy[at]satxhomesearch.com> wrote:
>
>> Hello,
>>
>> May sound like silly questions, but I have a couple.
>>
>> 1. I used the "wizard" to create the SPF Record. The instructions said to
>> add the txt file to the dns, which I did.
I modified the spf record: v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27
ip4:74.202.227.32/27 ip4:216.27.93.0/25 ip4:216.27.84.64/27 a
include:listingware.com include:icpbounce.com ~all
>>
>> Did you mean the MX of outboundsmtp.listingware.com, or did you mean the host?
>>
Either way, no quotes?

Thanks
> You could use ptr, but for good reasons that's recommended against.
> You would be far better to list by IP.
On further research, I think that "include:" means any host from
listingware.com ... Is this correct?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

May 21, 2009, 11:33 AM

Post #11 of 15 (616 views)
Permalink

Re: Newbie Questions [In reply to]

On Thu, May 21, 2009 at 19:09, Randy <randy[at]satxhomesearch.com> wrote:
>
> Either way, no quotes?

Correct

Note that you already reference the a record for the domain
satxhomesearch.com by IP, so you can reduce your record further:

v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27 ip4:74.202.227.32/27
ip4:216.27.93.0/25 ip4:216.27.84.64/27 include:listingware.com
include:icpbounce.com ~all

Note that listingware.com don't publish an SPF record so your record
is invalid if you keep it. They appear to use GoDaddy for email.
GoDaddy have a badly broken SPF record that you MUST NOT REFERENCE.
Doing so will render your record invalid.

When last I checked their record, the following would probably work:

v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27 ip4:74.202.227.32/27
ip4:216.27.93.0/25 ip4:216.27.84.64/27 include:in.spf.secureserver.net
include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net
include:mon.spf.secureserver.net include:icpbounce.com ~all

That record passes validation.

> On further research, I think that "include:" means any host from
> listingware.com ... Is this correct?

I've no idea where you are doing your research, but it's certainly not
by reading the official page on the record syntax:

http://www.openspf.org/SPF_Record_Syntax

In short, the include tag references the SPF record published for the
domain/host you specify. If there is not an SPF record then your
record becomes invalid and any SPF aware mail server will probably
reject email from you.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

randy at satxhomesearch

May 21, 2009, 11:59 AM

Post #12 of 15 (616 views)
Permalink

Re: Newbie Questions [In reply to]

Rob MacGregor wrote:
> On Thu, May 21, 2009 at 19:09, Randy <randy[at]satxhomesearch.com> wrote:
>
>
> Note that listingware.com don't publish an SPF record so your record
> is invalid if you keep it. They appear to use GoDaddy for email.
> GoDaddy have a badly broken SPF record that you MUST NOT REFERENCE.
> Doing so will render your record invalid.
>
> When last I checked their record, the following would probably work:
>
> v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27 ip4:74.202.227.32/27
> ip4:216.27.93.0/25 ip4:216.27.84.64/27 include:in.spf.secureserver.net
> include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net
> include:mon.spf.secureserver.net include:icpbounce.com ~all
>
> That record passes validation.
>
Is secureserver.net godaddy? Also, my mail host told me to add:
include:customer-spf.mxes.net
So, now my spf entry looks like:

v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27 ip4:74.202.227.32/27
ip4:216.27.93.0/25 ip4:216.27.84.64/27 include:in.spf.secureserver.net
include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net
include:mon.spf.secureserver.net include:customer-spf.mxes.net
include:icpbounce.com ~all
>
> I've no idea where you are doing your research, but it's certainly not
> by reading the official page on the record syntax:
>
Lesson learned... stay off of other forums to learn about spf.
> http://www.openspf.org/SPF_Record_Syntax
>
Thanks

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

May 21, 2009, 2:36 PM

Post #13 of 15 (617 views)
Permalink

Re: Newbie Questions [In reply to]

On Thu, May 21, 2009 at 19:59, Randy <randy[at]satxhomesearch.com> wrote:
>
> Is secureserver.net godaddy?

Yes.

> Also, my mail host told me to add:
> include:customer-spf.mxes.net
> So, now my spf entry looks like:
>
> v=spf1 ip4:72.44.83.51 ip4:66.192.165.130/27 ip4:74.202.227.32/27
> ip4:216.27.93.0/25 ip4:216.27.84.64/27 include:in.spf.secureserver.net
> include:ext1.spf.secureserver.net include:ext2.spf.secureserver.net
> include:mon.spf.secureserver.net include:customer-spf.mxes.net
> include:icpbounce.com ~all

You can validate your record yourself at
http://www.kitterman.com/spf/validate.html - right now it validates.

I will say though that you're pushing your luck. There's an upper
limit of 10 DNS lookups. Just the includes above uses 6 of those,
leaving 4. Of those icpbounce.com with a typically poor SPF record
uses another 4. If you add any other A records, include tags or
anybody who's record you include uses an A or include tag then your
record will become invalid and mail from you will be rejected.

You should strongly consider simplifying how your domain sends email.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

randy at satxhomesearch

May 25, 2009, 5:42 PM

Post #14 of 15 (613 views)
Permalink

Re: Newbie Questions [In reply to]

Rob MacGregor wrote:
> On Thu, May 21, 2009 at 19:59, Randy <randy[at]satxhomesearch.com> wrote:
>
> You can validate your record yourself at
> http://www.kitterman.com/spf/validate.html - right now it validates.
>
> I will say though that you're pushing your luck. There's an upper
> limit of 10 DNS lookups. Just the includes above uses 6 of those,
> leaving 4. Of those icpbounce.com with a typically poor SPF record
> uses another 4. If you add any other A records, include tags or
> anybody who's record you include uses an A or include tag then your
> record will become invalid and mail from you will be rejected.
>
> You should strongly consider simplifying how your domain sends email.
I did not know this... thank you for bringing the 10 dns lookup issue to
my attention. I will look into how we can avoid this problem. We may
have to use additional/alternate domains to send from some of our
outside vendors that send emails through their servers on our behalf.

Again thank you for your useful advice!

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

May 26, 2009, 1:22 AM

Post #15 of 15 (612 views)
Permalink

Re: Newbie Questions [In reply to]

On Tue, May 26, 2009 at 01:42, Randy <randy[at]satxhomesearch.com> wrote:
>
> I did not know this... thank you for bringing the 10 dns lookup issue to my
> attention. I will look into how we can avoid this problem. We may have to
> use additional/alternate domains to send from some of our outside vendors
> that send emails through their servers on our behalf.

Yes, you could create a "marketing.satxhomesearch.com" domain that
these vendors use, and create SPF records accordingly.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com