Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

Setting up the correct SPF with one SMTP for few domains

 

 

SPF help RSS feed   Index | Next | Previous | View Threaded


pmontelatici at gmail

Aug 1, 2010, 11:05 PM

Post #1 of 9 (2229 views)
Permalink
Setting up the correct SPF with one SMTP for few domains

I'm new to SPF, read the faq and tried the wizard. I think to have got to the
right spf to add to my DNS but before doing it, I'd like to ask to some
experts here if it is correct.

My situation is:
I have a machine running a SMTP server and a web server. The IP of the machine
is 109.231.67.172. The hostname of the SMTP is postoffice.bryo.it (I should
have set up mx, ptr, reverse dns etc all correctly).
All web applications (using different domains) use postoffice.bryo.it as SMTP
address (it accepts email from localhost only). So, for example, I have
calcolatermini.info and casainpermuta.it that sends emails using
postoffice.bryo.it (as info [at] calcolatermini and/or
contact [at] casainpermuta).

As far as I have understand, I should create a TXT record for bryo.it like
this:
v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info ?all

Is that correct? Is that all? Or should I do anything on casainpermuta.it and
calcolatermini.info domains as well?

Thanks a lot!
Pietro



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


vesely at tana

Aug 2, 2010, 3:42 AM

Post #2 of 9 (2157 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

On 02/Aug/10 08:05, Pietro wrote:
> I'm new to SPF, read the faq and tried the wizard. I think to have got to the
> right spf to add to my DNS but before doing it, I'd like to ask to some
> experts here if it is correct.

You should read at least the first two sections of RFC 4408.

> My situation is:
> I have a machine running a SMTP server and a web server. The IP of the machine
> is 109.231.67.172. The hostname of the SMTP is postoffice.bryo.it (I should
> have set up mx, ptr, reverse dns etc all correctly).
> All web applications (using different domains) use postoffice.bryo.it as SMTP
> address (it accepts email from localhost only). So, for example, I have
> calcolatermini.info and casainpermuta.it that sends emails using
> postoffice.bryo.it (as info [at] calcolatermini and/or
> contact [at] casainpermuta).

Users? I've seen you wrote from a gmail address, rather than one of
your domains. If anyone, besides applications, actually /uses/ those
addresses, you need to take also their sending paths into account.

> As far as I have understand, I should create a TXT record for bryo.it like
> this:
> v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info ?all

All those "a" terms result in the same address 109.231.67.172, so they
are redundant. You must figure out what you want the receiving server
to do when it sees that record. It is currently equivalent to either

v=spf1 a ?all
or
v=spf1 ip4:109.231.67.172 ?all

The former seems shorter and easier to maintain, but its behavior may
vary, e.g. when it's included. The latter requires you to change the
actual address whenever you change network provider, but is pretty clear.

> Is that correct? Is that all? Or should I do anything on casainpermuta.it and
> calcolatermini.info domains as well?

You should also publish a record for the other domains, including
postoffice.bryo.it (which currently has an MX.) Actually, you should
publish an SPF/TXT for each A/AAAA, since the corresponding domain
name can be legally used as the domain part of an email address. For
names that must _never_ be used for mail, specify

v=spf1 -all

HTH


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


spf1 at beer

Aug 2, 2010, 3:57 AM

Post #3 of 9 (2161 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

> As far as I have understand, I should create a TXT record for bryo.it like
> this:
> v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info
> ?all
>
> Is that correct?

No.

You've got SPF round the wrong way. You need a record for each domain
saying which servers it uses to send mail, not a record for the server to
say which domains it services.

So what you needd is a record for *each* of your domains that contains
something like :-

v=spf1 ip4:109.231.67.172 ~all

This assumes a fixed IP address - you could use "a:postoffice.bryo.it" if
you expect it to change, and uses the "~all" mechanism so that your mail
doesn't get discarded if you make any errors. You especially need to make
sure that no other mail is sent from these domains except from that one IP
address - think about how many users may send from each domain.

> Is that all? Or should I do anything on casainpermuta.it and
> calcolatermini.info domains as well?

Each of those domains needs the same record as above.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


pmontelatici at gmail

Aug 2, 2010, 10:52 PM

Post #4 of 9 (2159 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

Vic <spf1 <at> beer.org.uk> writes:

> You've got SPF round the wrong way. You need a record for each domain
> saying which servers it uses to send mail, not a record for the server to
> say which domains it services.
Thanks! I knew I was missing an important piece, everything is much clearer now.

>
> So what you needd is a record for *each* of your domains that contains
> something like :-
>
> v=spf1 ip4:109.231.67.172 ~all
>
> This assumes a fixed IP address - you could use "a:postoffice.bryo.it" if
> you expect it to change, and uses the "~all" mechanism so that your mail
> doesn't get discarded if you make any errors. You especially need to make
> sure that no other mail is sent from these domains except from that one IP
> address - think about how many users may send from each domain.
Actually emails from those domains are sent by (1) the web apps (v=spf1
a:postoffice.bryo.it ~all) and (2) from real users through gmail. Should I use ?
all instead of ~all to include gmail as an authorized sender or there's a better
way?

Pietro




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


pmontelatici at gmail

Aug 2, 2010, 10:58 PM

Post #5 of 9 (2177 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

Alessandro Vesely <vesely <at> tana.it> writes:

> Users? I've seen you wrote from a gmail address, rather than one of
> your domains. If anyone, besides applications, actually /uses/ those
> addresses, you need to take also their sending paths into account.
You're right, users send emails from those domains using gmail (GoogleApps). As
far as I understand (http://www.google.com/support/a/bin/answer.py?answer=178723)
I should add "include:_spf.google.com", right?

Thanks,
Pietro



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


pmontelatici at gmail

Aug 2, 2010, 11:01 PM

Post #6 of 9 (2154 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

Pietro <pmontelatici <at> gmail.com> writes:

> Actually emails from those domains are sent by (1) the web apps (v=spf1
> a:postoffice.bryo.it ~all) and (2) from real users through gmail. Should
> I use ? all instead of ~all to include gmail as an authorized sender
> or there's a better way?
I think to have found the answer
(http://www.google.com/support/a/bin/answer.py?answer=178723).
So my complete spf to add to my domains should read:
v=spf1 a:postoffice.bryo.it include:_spf.google.com ~all

Thanks for your help!
P




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


spf1 at beer

Aug 3, 2010, 2:35 AM

Post #7 of 9 (2150 views)
Permalink
Re: Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

> So my complete spf to add to my domains should read:
> v=spf1 a:postoffice.bryo.it include:_spf.google.com ~all

I wouldn't do it quite like that - you are telling the world that any mail
coming from Google *is* authorised to send on your behalf. That could be a
lot of people...

I would use "v=spf1 a:postoffice.bryo.it ?include:_spf.google.com ~all" if
you want the A record lookup (use the ip4: mechanism if you can).

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


pmontelatici at gmail

Aug 3, 2010, 8:40 AM

Post #8 of 9 (2149 views)
Permalink
Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

Vic <spf1 <at> beer.org.uk> writes:

> I would use "v=spf1 a:postoffice.bryo.it ?include:_spf.google.com ~all" if
> you want the A record lookup (use the ip4: mechanism if you can).
Vic, thanks for the ?include suggestion, I will.

Sorry why you suggest ip4 over A record?

Cheers,
Pietro




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


spf1 at beer

Aug 3, 2010, 9:00 AM

Post #9 of 9 (2153 views)
Permalink
Re: Re: Setting up the correct SPF with one SMTP for few domains [In reply to]

> Sorry why you suggest ip4 over A record?

It's one less DNS lookup.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.