spfdiscuss at alandoherty
Dec 2, 2010, 2:54 AM
Post #10 of 51
(4974 views)
Permalink
|
|
Re: How to set up spf for my client/server situation
[In reply to]
|
|
At 18:27 01/12/2010 Wednesday, Neil Gunton wrote:
>Ok, thanks again. I have changed all my spf records for bind to the following:
>
>TXT "v=spf1 ip4:208.64.24.170 -all"
>SPF "v=spf1 ip4:208.64.24.170 -all"
again i urge you to consider ?all while testing
(as you cannot easily guess what forwarding arrangements your receivers may have and -all will cause all recievers with badly setup (non-whitelisted forwarding hosts) to reject all the (forged by their own forwarder) mail
>My setup is pretty simple - multiple domains on a single ip address, so I guess that should do it, right? Thanks for the clarification of the 'all', the entry I had was generated (I think) from one of the spf "wizards" online, possibly the Microsoft one,
the microsoft one is NOT spf (same syntax totally different system) called senderID, and not compatable
> but I can't remember. Obviously either I misunderstood the questions the wizard asked me, or else the wizard itself was screwed up.
usually the second no wizard i have seen approaches anything near to simple logic.
>Also, what I am getting is that the ip address of my computer here at home (which originates email sent personally by me) is irrelevant to spf -
yes
> the only ip address that matters is the address of my mail server, is that correct?
not entirely, not your mail server, but any mail server that is allowed to send mail to others on your behalf
{for example if your server was only used to receive and you used your isp 'isp-x' to send mail only, then your spf should have no mention of your server just the ip's/mames of the isp-x servers)
> If so, then the above entries make perfect sense, since they seem to say that mail can come from this ip address, and only this ip address (true, I have no other email servers), and the '-all' says exclude any other ip addresses. Sounds simple.
yup it is but..
- all means HARDFAIL all others (ie you recommend that they refuse mail from any other source)
~ all means SOFTFAIL all others (ie you recommend treating other sources with suspicion)
? all means NEUTRAL all others (ie you recommend treating other sources neither positively(pass) or negatively(fail) just treat them the way you do email with no spf)
as in my original mail
>Sorry for my ignorance, I am very busy with development and did not take the time to dedicate to learning about spf in depth, but you've been extremely helpful. Much appreciated.
>
>I think that should do it, please let me know if I'm missing anything else here...
>
>Thanks again,
>
>Neil
>
>alan wrote:
>>ok questions dealt with in reverse order as its late and only the last approached an SPF issue
>>first off your SPF
>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>utter bollix beyond useless and will get your mail dumped by any anti-spam system
>>starting from the fact you send all mail from one ip (spidey.nilspace.com)
>>should theirfore be
>>"v=spf1 ip4:208.64.24.170 then either ?all ~all or -all
>>and that is all
>>the a (waste of receivers resources as it will be the same ip
>>the mx (waste of receivers resources as it will be the same ip
>>the ptr (should never be used and will never match
>>the mx:spidey.nilspace.com (error breaking all as spidey.nilspace.com has no MX records
>>the +all (biggest mistake of all says "oh and we send from every ip in the world too" classic spammer and will get mail shot
>>now onto the rest
>>At 01:44 01/12/2010 Wednesday, Neil Gunton wrote:
>>>Hi, I'm sorry if this turns out to be a stupid question, but I'm having some trouble working out how to construct my spf record. Here's my setup:
>>>
>>>I have a colo server in a datacenter, which has a single ip address.
>>relavant
>>
>>>I run several websites on this server, with multiple domains that each host a website. Email can be sent from any of these domains, via the local sendmail server, with 'neil' as the username and then the current website domain as the tld for the email address. So for example one of my sites is crazyguyonabike.com, so when I send a registration email from that site, it is 'From' neil [at] crazyguyonabike The reverse DNS and mx for the ip address is spidey.nilspace.com.
>>irrelevant
>>ok assuming your sendmail greets [helo/ehlo] as spidey.nilspace.com.
>>first spf record should be for this domain (currently none)
>>as above it should only be for a helo/ehlo thus should terminate -all
>>v=spf1 ip4:208.64.24.170 -all
>>next neil [at] crazyguyonabike
>>currently broken beyond belief
>>should be v=spf1 ip4:208.64.24.170 -/~/?all
>>-/~/? means pick one depending on the forgery handling policy you want receivers to follow
>>- means mail from any other ip should be considered spam/forged harshly HARDFAIL (breaks non-SRS forwarding to ISPs to sloppy to allow users to whitelist their own forwarders)
>>~ means to consider mail from any other ip to be probably spam (but not always) SOFTFAIL (survives more broken forwarding but also less strongly protects you from forgery)
>>? means consider mail that hasnt passed the spf test like you would mail with no SPF NEUTRAL (pointless but breaks less and forwarding and perfect for testing)
>>
>>>I also send email through this server from my home computer, which is on a cable or DSL connection. When I do this, sendmail always seems to attach a "may be forged" header to my emails, and I can't seem to stop that from happening - presumably it's because my emails are "from" neil [at] nilspace, but my originating ip address does not resolve to nilspace.com, but rather to the cable or DSL company. This isn't the main issue, though.
>>pointless but nothing but sendmail being mis-configured
>>(you do send mail via an authenticated connection to port 587 (the mail submission port) I assume)
>>if so as long as sendmail trusts your ID/password it should trust your envelope-sender
>>
>>>The problem is that I find that sometimes my emails just don't get through at all. In particular, I recently changed the registration confirmations on crazyguyonabike.com to be 'From' neil [at] crazyguyonabike, whereas previously they came 'From' neil [at] nilspace I wanted the address to match the domain the person was registering on. However now I have had a couple of instances where these confirmations just aren't getting through at all, and this is to yahoo.com email accounts, which previously have been very reliable in terms of delivery. The messages aren't in the spam folder, they just never seem to get through at all. The weird thing is that emails from neil [at] nilspace, sent from my home computer, do get through. So the automated ones from the server don't get through, but ones from home do, but they are both coming from the same email server. I'm wondering if the spf record has something to do with it - maybe Yahoo! is seeing something weird about an email claimin
>g
>> to be
>> from crazyguyonabike.com, but my spf doesn't mention that domain? Here's my current SPF record, generated a while back from an online wizard:
>>your and anyone spf is just a list of ip's nothing 'sees' the domains mentioned within
>>your spf having a broken second last record and ending +all is a more likely cause
>>and btw no one looks at the from address just the envelope-sender
>>its likely if your home mail is being treated differently it because either its envelope-sender is correct
>>(and thus the web-script is perhaps sending from:correct-address but leaving the envelope-sender as apache [at] spidey or some other nonsense)
>>with sendmail its necessary to use -f and have the user running the process in trusted-users to allow 'forging/setting the envelope sender to anything but the default'
>>a copy of one of each type of mail with full headers will answer this faster than me trying to teach you how to distinguish between them
>>send one of each direct (not via list) to my address and I'll look at them in the morning, and tell you which is broken
>>
>>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>>
>>>Should I have more stuff in there related to my other domains, even though they all resolve to the same IP address? How about my home connection, do I need to have anything related to that in there?
>>>
>>>Hope this makes sense, please let me know if you need more information...
>>>
>>>Thanks!
>>>
>>>Neil
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>>>Modify Your Subscription: https://www.listbox.com/member/?&
>>>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101130204417:81179282-FCEC-11DF-97DB-AC9BBAB6F015
>>>Powered by Listbox: http://www.listbox.com
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/19965496-c01dc913
>>Modify Your Subscription: https://www.listbox.com/member/?&
>>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201050611:9EA524EA-FD32-11DF-8019-93DF6268812C
>>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201132807:C02A1ABC-FD78-11DF-A576-82368AEC8845
>Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202055338:6CBD03BE-FE02-11DF-B9E9-C1D3C6ED1EB0
Powered by Listbox: http://www.listbox.com
|
1
