spfdiscuss at alandoherty
Oct 21, 2009, 11:07 PM
Post #1 of 1
(79 views)
Permalink
|
|
RE: SPF tutorial-2 / DNS admin guide
|
|
At 06:14 22/10/2009 Thursday, Danny Vincent wrote:
>Ok, I have access to my domains records. Ive got A, MX, Cname & ptr records & realise you want me to add a .txt record.
>
>I just don?t know how to set out the txt record.
without knowing the software or a url to a manual for it
i can't guide you in the gui your isp/registrar has given you
I run my own dns servers so just open the zone file in a editor and add/remove/change records
what prompts do you get if its wizard based one at a time i will give you my best guess answer
all dns records have 3 basic details
name type value
name = _spf.yourdomain-name.whatever
some gui's fill in the domain and thus expect _spf as the name
type == IN txt {group internet}{subgroup text} {the IN group is all most simple GUI's let you touch but its the only group used by most so its ok}
value == "v=spf1 a:mail.webconnect.com.au -all"
as previously given
as always let me know if/when done so i can test/see if its working
{also as its already 7am can you either respond faster or wait till i get some sleep to continue?}
and as always if you want to pay someone to {just get it done} feel free to contact me offlist and I'll walk you through how to give me vnc access to your pc {so i don't get/need your id/passwords} but i can see your screen and show you what to type where
http://www.alandoherty.net/
{note to list admins this is not me using the list to pimp myself just wanting to offer the faster approach as this to/fro by mail is painful and is probably as horrible to read for all of you others}
>Danny
>
>
>
>-----Original Message-----
>From: Alan Doherty [mailto:alan[at]alandoherty.net]
>Sent: Thursday, 22 October 2009 2:17 PM
>To: spf-help[at]v2.listbox.com
>Subject: RE: [spf-help] SPF tutorial-2
>
>At 03:58 22/10/2009 Thursday, Danny Vincent wrote:
>>Alan, I am the systems engineer of every facet of our domains. Yes, I am the hostmaster.
>>
>>Yes I have access to our public & private dns records.
>>
>>We use www.ods.org as our nameservers & delegation.
>
>then complete step 1 as given and I'll test/verify it when done
>
>create the dns entry below
>_spf.easynetworks.com.au. IN TXT "v=spf1 a:mail.webconnect.com.au -all"
>
>This is in standard bind format,
>if it is parsing/understanding this string that is the source of the problem?
>or whatever the problem is with following the instructions please elaborate.
>
>
>
>>Danny
>>
>>
>>-----Original Message-----
>>From: Alan Doherty [mailto:alan[at]alandoherty.net]
>>Sent: Thursday, 22 October 2009 12:32 PM
>>To: spf-help[at]v2.listbox.com
>>Subject: RE: [spf-help] SPF tutorial-2
>>
>>OK lets get down to basics
>>
>>SPF relies on DNS records being added to your domains
>>
>>first are you the hostmaster of the domains in question
>>
>>IE do you have the ability to create DNS records within those domains
>>if no/dont know, then no wizard or person here can help, find out who is the DNS administrator and ask them to contact us.
>>
>>{all the wizard does is what we did, took your details and gives back a working SPF record(s) for you to use within your DNS zone file}
>>
>>if yes then what DNS administration tools do you have/use
>>
>>if we are familiar we will assist
>>
>>At 01:39 22/10/2009 Thursday, Danny Vincent wrote:
>>>Alan, thanks for your help so far, but all of what you say assumes that I am familiar with the spf wizard or where to put the entries you describe below.
>>>
>>>Neither of which I know.
>>>
>>>"now work with us, or the wizard"
>>>
>>>I don?t know how to fill out the wizard, so as it states on your site, I am to request help through this list. This has drawn some ire for some reason. I didn?t know there was a protocol for asking questions.
>>>
>>>If I am to ignore the wizard & enter the details you supplied below, where exactly do I enter the details?
>>>
>>>Why can the site have forums or procedures with screen shots, instead of me treading this minefield of asking the wrong question each time?
>>>
>>>
>>>
>>>Danny
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: alan [mailto:spfdiscuss[at]alandoherty.net]
>>>Sent: Thursday, 22 October 2009 10:28 AM
>>>To: spf-help[at]v2.listbox.com
>>>Subject: RE: [spf-help] SPF tutorial-2
>>>
>>>before reading my responses to your ignoring my previous mail again your answer is
>>>
>>>A setup the spf record for
>>>
>>>_spf.your-primary-domain.com "v=spf1 a:mail.webconnect.com.au -all"
>>>or if theis is your primary domain
>>>_spf.easynetworks.com.au IN TXT "v=spf1 a:mail.webconnect.com.au -all"
>>>
>>>then after you have done this and after it has been checked by me for typos
>>>{please do not ignore this caveat as a typo can be fatal}
>>>
>>>you add the following spf record to
>>>easynetworks.com.au IN TXT "v=spf1 redirect=_spf.easynetworks.com.au"
>>>
>>>once this has been checked /tested
>>>
>>>you add the same to each domain
>>>
>>>domain1.tld IN TXT "v=spf1 redirect=_spf.easynetworks.com.au"
>>>domain2.com IN TXT "v=spf1 redirect=_spf.easynetworks.com.au"
>>>
>>>etc.etc.
>>>
>>>now work with us, or the wizard, were volunteers and spf users
>>>and don't appreciate when our previous help is ignored
>>>and we start getting asked how to fill out a form, thats not what were here for
>>>
>>>At 23:45 21/10/2009 Wednesday, you wrote:
>>>
>>>
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: alan [mailto:spfdiscuss[at]alandoherty.net]
>>>>Sent: Thursday, 22 October 2009 7:47 AM
>>>>To: spf-help[at]v2.listbox.com
>>>>Subject: RE: [spf-help] SPF tutorial-2
>>>>
>>>>
>>>>Hi all
>>>>
>>>>>Is there any sort of tutorial or step by step guide on setting up spf records?
>>>>
>>>>I found the easiest was read the RFC and syntax documents
>>>>as no one guide will fit all senders most guides are directed at simple senders, as complex setups usually have the technical know how behind them already
>>>>
>>>>>I am looking at setting up spf records for my domain & all the domains hosted on our mail servers
>>>>
>>>>ok sounds ok so far
>>>>
>>>>> of which there are about 30. The mail enters our servers via our mx record
>>>>
>>>>OK from now on no further mention of how other people mail you or MX records as these are unrelated to and irrelevant to how your users send their mail
>>>>{which is all that SPF deals with}
>>>>
>>>>> , but leaves via a different ip address & is then passed onto our isp & leaves via their smtp servers.
>>>>
>>>>ok so you users all send from your ISP's mail servers {how your users mail gets there is also beyond the scope of SPF}
>>>>
>>>>so can you get a list of the ip's of these servers from your isp? or do they possibly {as many do} already provide an SPF record to include in your own?
>>>>
>>>>>> yes, but Im a little confused. When I do an spf lookup on their domain, there is one attached to their incoming mx record
>>>
>>>ok again stop with the mentioning of anything to do with MX records
>>>spf records are attached to domain names only
>>>
>>>>" Yes, support[at]ecn.net.au has an SPF version 1 record.
>>>>
>>>>Hostname: ecn.net.au
>>>>IP: 203.22.70.2
>>>>Mailserver(s): warp.ecn.net.au
>>>>SPF Record:
>>>>v=spf1 mx ?all
>>>
>>>ok so you are saying ecn.net.au is another domain owned by webconnect.com.au
>>>and has an spf record of "v=spf1 mx ?all"
>>>which means
>>>trust mail from 203.22.70.2
>>>and additionally the rest of the globe as we don't trust spf
>>>
>>>>But their outgoing mail which goes through webconnect does not have an spf record & THAT is the one that matters isn?t it?
>>>
>>>if their outoing mail for ecn.net.au does go through mail.webconnect.com.au yes their spf is flawed
>>>
>>>> As you say at the end of the email, there isn?t an spf record for mail.webconnect.com.au
>>>
>>>err no i clearly say there is one for mail.webconnect.com.au
>>>just none for webconnect.com.au
>>>
>>>>or worst case you trial + error test/find all these ip's by repeatedly mailing an external address via your setup/ISP
>>>>
>>>>once you have the IP's you can construct a master spf record for all the domains you host
>>>>like _SPF.your-main-domain.com "v=spf1 <details> -all"
>>>>
>>>>>> Ok, well there only seems to be one for the isp & we only have one that we send from. Problem is, I don?t know where to start on that wizard.
>>>
>>>then don't use the wizard
>>>
>>>>1) easynetworks.com.au's IP address is 203.143.228.14 (s1c0e.static.pacific.net.au).
>>>>Does that server send mail from easynetworks.com.au?
>>>
>>>no idea what has this got to do with you?
>>>
>>>>No, that is the incoming address, the outgoing mail leaves us via 203.201.149.50 & mail.webconnect.com.au then picks it up & relays it.
>>>
>>>ok so you are saying you only send mail from mail.webconnect.com.au
>>>as i posited earlier
>>>{as i said stop confusing yourself and the issues by talking about how mail gets to you /from you to them}
>>>the only thing relevant in SPF is who connects to us to send us your email
>>>so if it is ONLY mail.webconnect.com.au
>>>
>>>then the guesswork answer from my first email will work perfectly
>>>
>>>>2) This wizard found 2 names for the MX servers for easynetworks.com.au: s1c18.static.pacific.net.au and mail. (A single machine may go by more than one hostname. All of them are shown.)
>>>>MX servers receive mail for easynetworks.com.au.
>>>>Do they also send mail from easynetworks.com.au?
>>>
>>>obviously the answer is no if this is you
>>>but please use us or the wizard, you failed with the wizard so how about just answering the questions we ask
>>>taking the answers we give
>>>
>>>>s1c0e.static.pacific.net.au is our reverse dns ptr record.
>>>
>>>again irrelevant
>>>
>>>>Do they also send mail from easynetworks.com.au? yes, but they are relayed via a different ip than the incoming ip & are relayed to our isp.
>>>
>>>no you mean then
>>>
>>>>3) Do you want to just approve any host
>>>>whose name ends in easynetworks.com.au? (Expensive, unreliable and not recommended)
>>>>
>>>>I gather, I say no.
>>>
>>>correct
>>>
>>>
>>>>4) Do any other servers send mail from easynetworks.com.au?
>>>
>>>this is where you say yes for the first time and put in the name of the server that sends your email
>>>mail.webconnect.com.au
>>>
>>>>I have no idea what this is asking. We have 3 mail servers, all of which send mail via only one of those servers, via only one of our ip's & then go via our isps smtp server.
>>>
>>>again i state
>>>only the servers the world sees are relevant ie 1 mail.webconnect.com.au
>>>
>>>>5) You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. mx: takes domain names and approves all the MX servers of these domains. To keep the wizard short we left out ptr:, but it works analogously
>>>>
>>>>Again, I'm not sure what to put here. Do I put my mx records in there & all of the mx records of all of the domains we host in there?
>>>
>>>please either use this forum or the wizard not both
>>>few here would have ever used it, as most could write the most complex spf records from memory
>>>
>>>>6) IP networks can be entered using CIDR notation, eg. 192.0.2.0/24
>>>>
>>>>Which cidr range?
>>>
>>>none in your case as you have one 1 mailserver with 1 ip so its totally done
>>>
>>>>7) Could mail from easynetworks.com.au originate through
>>>>servers belonging to some other domain?
>>>>If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here.
>>>>
>>>>Yes, our isp's, but their outgoing mail server don?t seem to have an spf record, whereas their incoming does.
>>>
>>>no spf is not per incoming or outgoing, please just read the answer given in the first mail and go
>>>
>>>>8) Do the above lines describe all the hosts
>>>>that send mail from easynetworks.com.au?
>>>>
>>>>Hosts, as in hostnames of the mail servers or names of the domains the mail servers send on behalf of?
>>>
>>>hosts as in ips as in the 1 you send mail from
>>>
>>>>9) easynetworks.com.au. IN TXT
>>>>
>>>>No idea what that is asking.
>>>>
>>>>
>>>>{we can help with the <details> when you can give them to us}
>>>>
>>>>>> What details do you need?
>>>
>>>we already guessed them
>>>the server(s) that send your email
>>>
>>>1 mail.webconnect.com.au
>>>
>>>>and then for each hosted domain, including your-main-domain.com
>>>>setup an spf record of "v=spf1 redirect=_SPF.your-main-domain.com"
>>>>
>>>>>> So I need to run that wizard for every domain we host?
>>>
>>>you never run the wizard you just put in the spf record as i gave you it
>>>
>>>>thus even the ones you don't handle dns for will be able to reference your spf record by adding this line to their dns
>>>>
>>>>and receivers will benefit from DNS caching of the one primary spf record
>>>>
>>>>>When I examine a message header it shows this to be correct.
>>>>>
>>>>>The questions being asked in the spf wizard doesn?t seem to match our requirements. I don?t want to try & blunder my way through & find that mail is not flowing. Is there any help on this?
>>>>
>>>>I think I pretty much covered it above?
>>>>
>>>>btw the details if sending to the list from the aformentioned setup are
>>>>ISPs mailserver mail.webconnect.com.au
>>>>
>>>>so an spf {assuming they have but this one ip} would be
>>>>"v=spf1 a:mail.webconnect.com.au -all"
>>>>
>>>>but again rather than adding this to every customer directly
>>>>its better to have your costumers reference an SPF within your domain, as you are their ISP
>>>>you in turn reference an SPF or A record within your ISP's domain, {A currently
>>>>
>>>>i use the a: rather than ip4:203.22.70.85 because they may move the server ip at any time this stops that breaking your setup {assuming they correctly move the name}
>>>>
>>>>also i see that although webconnect.com.au dosnt use spf themselves
>>>>mail.webconnect.com.au does have a HELO/EHLO spf record so thats good to know and shows its likely well maintained
>>>>
>>>>
>>>>
>>>>-------------------------------------------
>>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>>
>>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>>Powered by Listbox: http://www.listbox.com
>>>>
>>>>
>>>>
>>>>
>>>>-------------------------------------------
>>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>>
>>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>>Powered by Listbox: http://www.listbox.com
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>Powered by Listbox: http://www.listbox.com
>>>
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>Powered by Listbox: http://www.listbox.com
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>>
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
|
