SPF dns TXT records for mail

  • Thread starter Thread starter Frankster
  • Start date Start date
F

Frankster

Well, I've decided that I would like to add an SPF record to validate my
mail server on the Internet.

Note: At present only a few mail servers support this, but HOTMAIL is one.
Without this SPF TXT record in DNS, HOTMAIL considers your incoming mail to
be junk and you find it in your junk folder.

Anyway,

I mange my own Internet DNS using a DNS service provider (via GUI).

This GUI does support SPF records and has a place to "Add an SPF record".

However, I am asked to provide a hostname and I am unsure what to use for a
hostname.

I tried using my previously defined hostname (with A record) and when I
added this SPF txt record it REPLACED my original A record. Apparently that
must mean I cannot have a TXT record and an A record with the same
hostname???

Anyway, for those that know what an SPF record is, can you help here? I
need advice on how to handle the hostname portion.

Note: My mail server does have a valid hostname (FQDN), with A record, and
presents that name during the mail negotiations. My hostname is present in
the mail headers it creates.

Thanks,

-Frank
 
Frankster said:
Well, I've decided that I would like to add an SPF record to validate
my mail server on the Internet.

Note: At present only a few mail servers support this, but HOTMAIL is
one. Without this SPF TXT record in DNS, HOTMAIL considers your
incoming mail to be junk and you find it in your junk folder.

Anyway,

I mange my own Internet DNS using a DNS service provider (via GUI).

This GUI does support SPF records and has a place to "Add an SPF
record".

However, I am asked to provide a hostname and I am unsure what to use
for a hostname.

I tried using my previously defined hostname (with A record) and when
I added this SPF txt record it REPLACED my original A record.
Apparently that must mean I cannot have a TXT record and an A record
with the same hostname???

Anyway, for those that know what an SPF record is, can you help here?
I need advice on how to handle the hostname portion.

Note: My mail server does have a valid hostname (FQDN), with A
record, and presents that name during the mail negotiations. My
hostname is present in the mail headers it creates.
Click to expand...

Go to spf.pobox.com and run the SPF wizard.
You need at least one of these:
1. host names that can send mail for your Domain
2. domains that have MX servers that can send mail from your domain
3. IP addresses of mail servers that can send mail from your domain A CIDR
is acceptable such as 192.168.0.0/29 (just an example)
 
Thank you. Yes, I think I've got it! I finally figured out how to add a
TXT record without removing the original A record in the process. I have
configured all my domains (4) with appropriate SPF records. I now get a
PASS when checking compliance at the following (GREAT!) website:

http://www.dnsstuff.com/pages/spf.htm

My output looks like this (with domain name and IP changed to protect the
innocent - ME!) LOL!

----start---
SPF lookup of sender (e-mail address removed) from IP 6x.1xx.1xx.xx:

SPF string used: v=spf1 mx ptr ~all.
Processing SPF string: v=spf1 mx ptr ~all.
Testing 'mx' on IP=6x.1xx.1xx.xx, target domain xxxxxxxxxx.com, CIDR 32,
default=PASS. MATCH!
Testing 'ptr' on IP=6x.1xx.1xx.xx, target domain xxxxxxxxxx.com, CIDR 32,
default=PASS.
Testing 'all' on IP=6x.1xx.1xx.xx, target domain xxxxxxxxxx.com, CIDR 32,
default=SOFTFAIL.

Result: PASS


Possible Results:
Pass - This IP is authorized to send E-mail from this domain.
Fail - This IP is not authorized to send E-mail from this domain
SoftFail - This IP probably is not authorized to send E-mail from this
domain, but the domain owners are not certain
Neutral - The domain does not know if the IP is allowed to send E-mail or
not.
TempError - A temporary error occurred. The E-mail should be retried later.
PermError - A permanent error was encountered. The E-mail should be
rejected.
None - No SPF record was found. It cannot be determined if the IP is allowed
to send E-mail from this domain.
---end---

At this point in time HOTMAIL still plunks mail from my domains into "junk".
However, I'm hoping that this is just a propagation issue (or caching issue)
and that in a day or so HOTMAIL will accept my mail as fully authenticated.
We'll see. At least I test good now.

I've learned a lot about mail in the last 8 hours or so :)

Thanks,

-Frank
 
Frankster said:
Thank you. Yes, I think I've got it! I finally figured out how to add a
TXT record without removing the original A record in the process. I have
configured all my domains (4) with appropriate SPF records. I now get a
PASS when checking compliance at the following (GREAT!) website:

http://www.dnsstuff.com/pages/spf.htm

My output looks like this (with domain name and IP changed to protect the
innocent - ME!) LOL!
Click to expand...


Watch out if there are ways that YOUR users can send
email that doesn't go through your "normal" or default
servers -- like a dial user who sends outbound email
through their ISP.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Frank,
Looks like you had some fun with those links I gave you! haha

Congrats on getting SPF working. Remember that there is one thing that
breaks with SPF. SPF breaks e-mail forwarding. This may or may not be a
big deal for you depending on what sort of environment you run.

"You'll have to switch from forwarding, where the envelope sender is
preserved, to remailing, where the envelope sender is changed." - your
MTA has to support this.

You can check out the following link for more info:
http://spf.pobox.com/faq.html

Glad to see other folks getting SPF up and running.

Regards,
Ed Horley
Microsoft MVP Windows Server - Networking
 
Frank,
Looks like you had some fun with those links I gave you! haha
Click to expand...

Yeah, no kidding. Thank you. Other than the stupid bug in my providers DNS
GUI it wasn't all that tough. Just a lot of research in one day :)
Congrats on getting SPF working. Remember that there is one thing that
breaks with SPF. SPF breaks e-mail forwarding. This may or may not be a
big deal for you depending on what sort of environment you run.
Click to expand...

Yeah, I read about that. I don't do any forwarding here and don't plan to.
You can check out the following link for more info:
http://spf.pobox.com/faq.html
Click to expand...

Yeah, I 've already learned a lot from that site too. Lotta good stuff out
there if you have time to read it all.
Glad to see other folks getting SPF up and running.
Click to expand...

Well, yeah, I guess :) Sometimes I start to wonder if the cure is worse
than the disease. LOL.

Again, thanks.

-Frank
 
Back
Top