greg at stickywicketdesigns
Aug 31, 2010, 9:50 AM
Post #3 of 5
The record that is in place is the result of my foolhardy attempt with the SPF Setup Wizard (http://old.openspf.org/wizard.html).
Re: proper spf when using gmail for domain's mail server
[In reply to]
On 2010-08-31, at 9:24 AM, Vic wrote:
>> The current SPF record I have is:
>> "v=spf1 ip4:22.214.171.124/24 a mx a:gmail.com include:telus.net ?all"
> This isn't right...
> 126.96.36.199/24 is 256 addresses. It's unlikely you're sending from all
> those boxes. What problem are you trying to solve with that?
> The "a" and "mx" clauses are comparatively harmless, but probably aren't
> what you're after. Do you send mail directly (i.e. not via an outbound
> SMTP server) to recipients from the box that serves the main domain? If
> you don't, you don't want the "a" bit in there. Your MX record (for the
> domain from which you sent your email) seems to list only gmail servers -
> so you probably don't want that in there either.
> The "a:gmail.com" bit doesn't help; if you're trying to authorise gmail
> servers, you should use "include:_spf.google.com" (according to Google's
> page at http://www.google.com/support/a/bin/answer.py?answer=178723 ). But
> you might not want to declare anything coming from Google as "positively
> authorised"; gmail has a lot of users. I don't know how well Google does
> anti-spoofing internally.
> The same comment applies to telus.net; there are a lot of people on that
> ISP, and I'm pretty sure it's easy to spoof from there.
> Lastly, the "?all" default says to treat as unknown anything that hasn't
> already been matched - so the record is somewhat ineffective :-(
Thank for the explanation - I really do appreciate that feedback.
As for the setup, I do have webform confirmation messages that get sent from my web server itself (188.8.131.52).
My office computer is a laptop, and as such I do have several potential connections points (various ISPs). But my home and office are both on the Telus network, but in each case, the SMTP setting routes through gMail (overriding the ISPs default).
> My ***guess*** at your correct record - and I can do no more than guess
> without knowing more about your setup - would be something like :-
> v=spf1 ?include:_spf.google.com ?include:telus.net ~all
> until you're sure it correct, then change that to
> v=spf1 ?include:_spf.google.com ?include:telus.net -all
> ...But that might be wrong.
Could you also recommend the best way to verify the spf is setup correctly? Is there a free (hopefully) service out there that does this?
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e
Powered by Listbox: http://www.listbox.com