SPF Record - Is it correct?

[Exch]

Hello,
I'm sending the SPF record to my provider's dns office, and I'd like
to have your opinion about the string I have written. At first I will
explain our dns and mailserver configuration:

1) We have 2 SMTP server that go out with the same public IP (one for
inbound/one for outbound).
2) This pubblic IP has an MX record, mail.mydomain.com.
3) There is a PTR record xxx.xxx.xxx.xxx.in-addr.arpa
mail.mydomain.com.
4) We also send mail through mail.provider1.com, mail.provider2.com
and a static ip yyy.yyy.yyy.yyy.


The generated text is this:

v=spf1 mx a:mail.provider1.com a:mail.provider2.com a:yyy.yyy.yyy.yyy
mx:mail.mydomain.com ?all

What do you think about this spf record? Is this correct for my
configuration?

Thank You
Exch

 

[Herb Martin]

Hello,
I'm sending the SPF record to my provider's dns office, and I'd like
to have your opinion about the string I have written. At first I will
explain our dns and mailserver configuration:

1) We have 2 SMTP server that go out with the same public IP (one for
inbound/one for outbound).
2) This pubblic IP has an MX record, mail.mydomain.com.
3) There is a PTR record xxx.xxx.xxx.xxx.in-addr.arpa
mail.mydomain.com.
4) We also send mail through mail.provider1.com, mail.provider2.com
and a static ip yyy.yyy.yyy.yyy.


The generated text is this:

v=spf1 mx a:mail.provider1.com a:mail.provider2.com a:yyy.yyy.yyy.yyy
mx:mail.mydomain.com ?all

What do you think about this spf record? Is this correct for my
configuration?

I find it nearly impossible to check these things by "inspection" -- there
are tools on the SPF sites for either creating or checking them though.

That and entering them into a test domain where you can text them using
NSLookup are probably the most useful.

 

[Ace Fekay [MVP]]

In

Hello,
I'm sending the SPF record to my provider's dns office, and I'd like
to have your opinion about the string I have written. At first I will
explain our dns and mailserver configuration:

1) We have 2 SMTP server that go out with the same public IP (one for
inbound/one for outbound).
2) This pubblic IP has an MX record, mail.mydomain.com.
3) There is a PTR record xxx.xxx.xxx.xxx.in-addr.arpa
mail.mydomain.com.
4) We also send mail through mail.provider1.com, mail.provider2.com
and a static ip yyy.yyy.yyy.yyy.


The generated text is this:

v=spf1 mx a:mail.provider1.com a:mail.provider2.com a:yyy.yyy.yyy.yyy
mx:mail.mydomain.com ?all

What do you think about this spf record? Is this correct for my
configuration?

Thank You
Exch

I would try:

v=spf1 a:mail.provider1.com a:mail.provider2.com ipv4:yyy.yyy.yyy.yyy/32
mx:mail.mydomain.com -all


You can also check around various domains that are using it through nslookup
to see how they aer doing it. Set q=txt when querying.

Either way, I would use a "-all" (called a hard fail) so emails coming from
elsewhere other than the IP reverse or IP stipulated will be assumed spam.'
The /32 indicates ONLY that IP and not a range.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

 

[Exch]

I would try:

v=spf1 a:mail.provider1.com a:mail.provider2.com ipv4:yyy.yyy.yyy.yyy/32
mx:mail.mydomain.com -all

Thank you for your reply!
So you have deleted "mx" parameter. Using ONLY mx, or ONLY mx:
mail.mydomain.com is the same thing?

Thank you
Exch

 

[Ace Fekay [MVP]]

In

Thank you for your reply!
So you have deleted "mx" parameter. Using ONLY mx, or ONLY mx:
mail.mydomain.com is the same thing?

Thank you
Exch

After I posted that, I realized it could be redundant, yes. You can achieve
the same thing without the "mx:mail.mydomain.com". SOme even put in a
ptr:mail.mydomain.com as well, but that would restrict everything only to
that domain and would probably cause problems if hosting multiple domains.

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Hello,
I'm sending the SPF record to my provider's dns office, and I'd like
to have your opinion about the string I have written. At first I will
explain our dns and mailserver configuration:

1) We have 2 SMTP server that go out with the same public IP (one for
inbound/one for outbound).
2) This pubblic IP has an MX record, mail.mydomain.com.
3) There is a PTR record xxx.xxx.xxx.xxx.in-addr.arpa
mail.mydomain.com.
4) We also send mail through mail.provider1.com, mail.provider2.com
and a static ip yyy.yyy.yyy.yyy.


The generated text is this:

v=spf1 mx a:mail.provider1.com a:mail.provider2.com a:yyy.yyy.yyy.yyy
mx:mail.mydomain.com ?all

What do you think about this spf record? Is this correct for my
configuration?

You need to break it down.
v=spf1 means the txt record is an SPF record.

"mx" indicates all servers listed in your MX records also send mail for your
domain. So in many cases "v=spf1 mx -all" would be all you need if only
servers with MX records send mail from your domain. But you must make sure
your MX records, SMTP HELO names and PTRs match.

"a:mail.provider1.com" indicates this mail server sends mail for your domain
"a:mail.provider2.com" indicates this server also sends mail for your domain

"a:yyy.yyy.yyy.yyy" is not valid it should be ipv4:yyy.yyy.yyy.yyy for IP
addresses.

"mx:mail.mydomain.com" may also be invalid if there is not an MX record like
this:
"mail.mydomain.com MX 10 mail.mydomain.com"
The "mx:" indicates MX servers for other domains that can also send mail
from your domain. So if for instance all of your ISP's MX servers can send
mail from your domain, you would use "mx:ispdomain.com"

"?all" indicates this should be all servers that can send mail for your
domain, any mail from your domain not coming from one of these servers
should be accepted but may be marked as junk mail. it is pretty much the
same as ~all, hard fails are not allowed; hard fails should only be allowed
using -all.

In my opinion, the SPF should be kept as simple as possible, but the problem
with sending mail through your ISP, is that the way some ISPs relay their
mail, it is almost impossible to predict what relay server will be sending
mail, you should verify this with your ISP.

If the ISP servers are correct and your MX records are set up correctly your
SPF should probably look like this:
v=spf1 mx a:mail.provider1.com a:mail.provider2.com -all" or
"v=spf1 mx ipv4:<yourIPaddressCIDR> a:mail.provider1.com
a:mail.provider2.com -all"


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================