Mailing List Archive

----- Original Message -----
From: "Angus McIntyre" <angus@pobox.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 21, 2004 5:46 PM
Subject: [spf-help] Bind - issues with TXT and CNAME


> Following a recent flood of bounces triggered by a pharmacy spammer
> forging random addresses at two of my domains in their 'From:' lines,
> I decided to move to SPF.
>
> As a newbie to SPF and a non-expert in DNS, I used the SPF Wizard to
> generate the relevant records. My zone file looks something like:
>
> example.net. IN SOA ns.foobar.com. hostmaster.foobar.com.
(
> 1068820938
> 10800
> 3600
> 604800
> 1D )
> example.net. IN NS ns.foobar.com.
> example.net. IN A 123.123.123.123
> mail.example.net. IN CNAME example.net.
> www.example.net. IN CNAME example.net.
> example.net. IN MX 10 mail.example.net.
> example.net. IN NS ns3.example.org.
>
> and the SPF wizard recommended adding:
>
> example.net. IN TXT "v=spf1 a mx -all"
> mail.example.net. IN TXT "v=spf1 a -all"
> ns.foobar.com. IN TXT "v=spf1 a -all"
>
> ('example.net' and 'ns.foobar.com' live at the same IP; 'example.net'
> and 'foobar.com' are, of course, not their real names).
>
> I added the TXT records, duly respecting the Wizard's warnings about
> not making a TXT record the last thing in the zone file, and reloaded
> the zone file.
>
> This appeared to cause problems; the primary server for the domain
> ('ns.foobar.com') didn't seem to be giving back useful information
> for that domain, and - to judge by the various SPF testers - the SPF
> record didn't seem to have 'taken'.
>
> I rolled back the zone file and re-inserted the records, this time
> using a web-based DNS administration tool instead of 'vi'. When I
> attempted to save the record:
>
> mail.example.net. IN TXT "v=spf1 a -all"
>
> The web-based tool objected, telling me that I couldn't create a TXT
> record with the same identifier as an alias (i.e. a CNAME).
>
> Leaving that record out and reloading the file appeared to resolve
> the DNS issues and allow SPF to work correctly (according to the SPF
> testers linked from POBox's SPF pages).
>
> My questions are: was the Wizard wrong to recommend that particular
> TXT record, and is my SPF setup complete without it? It seems -
> thinking about it - as if the record would be redundant, and the
> trace from the SPF tools appears to confirm this. But I'd like to be
> sure that this is the case and that I have everything right before I
> go SPF'ing my other domains.


Cname's are generally a bad thing. Remove the CNAME record and insert a
proper A record for the "www." and "mail." and then you will find that
everything will work just fine :-) I notice that you added the TXT records
at the end of the file, so be sure there is a newline after the last one.
(see website)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Sat, Aug 21, 2004 at 06:41:50PM +0200, jpinkerton wrote:
> Cname's are generally a bad thing. Remove the CNAME record and insert a
> proper A record for the "www." and "mail." and then you will find that
> everything will work just fine :-) I notice that you added the TXT records
> at the end of the file, so be sure there is a newline after the last one.
> (see website)

I disagree. There is nothing wrong with cname's as long as you follow
the rules. A cname record must be the only record for a given
(sub)domain, meaning that there can not exist a CNAME and a TXT for the
same domain.

If a CNAME exists for a domain that will be checked with spf, the spf
record of the domain the cname points to will be used.

Nothing wrong with cname's.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Sat, Aug 21, 2004 at 11:46:58AM -0400, Angus McIntyre wrote:
>
> example.net. IN SOA ns.foobar.com. hostmaster.foobar.com. (
> 1068820938
> 10800
> 3600
> 604800
> 1D )
> example.net. IN NS ns.foobar.com.
> example.net. IN A 123.123.123.123
> mail.example.net. IN CNAME example.net.
> www.example.net. IN CNAME example.net.
> example.net. IN MX 10 mail.example.net.
> example.net. IN NS ns3.example.org.
>
> and the SPF wizard recommended adding:
>
> example.net. IN TXT "v=spf1 a mx -all"
> mail.example.net. IN TXT "v=spf1 a -all"
> ns.foobar.com. IN TXT "v=spf1 a -all"

Ok, see my other post regarding cname's, furthermore i'd like to point
out that if you add another domain, eg:

some.example.net. IN A 1.2.3.4

then you need a TXT record for some.example.net too, or else spammers
might just use that domain. Furthermore, if you're really paranoid, you
might want to publish spf for the wildcard (*) domain, just to protect
imakethisupasigo.example.net or whatever.example.net, although most
MTA's will reject mail from non-existent domains anyway.

Koen


--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

an someone help me iam a newbie and I don't know what the heck is going
on with this SPF stuff, forgery, etc...
I just want to setup my mx records or what should I setup MX or TXT? I
want something simple.
Iam running exchange only for my email purpose and no one else, very
simple email server using exchange.
Where and how, thanks

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Koen Martens
Sent: Sunday, August 22, 2004 4:56 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Bind - issues with TXT and CNAME

On Sat, Aug 21, 2004 at 06:41:50PM +0200, jpinkerton wrote:
> Cname's are generally a bad thing. Remove the CNAME record and insert

> a proper A record for the "www." and "mail." and then you will find
> that everything will work just fine :-) I notice that you added the
> TXT records at the end of the file, so be sure there is a newline
after the last one.
> (see website)

I disagree. There is nothing wrong with cname's as long as you follow
the rules. A cname record must be the only record for a given
(sub)domain, meaning that there can not exist a CNAME and a TXT for the
same domain.

If a CNAME exists for a domain that will be checked with spf, the spf
record of the domain the cname points to will be used.

Nothing wrong with cname's.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, embedded
systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program can't read? Visit
http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

an someone help me iam a newbie and I don't know what the heck is going
on with this SPF stuff, forgery, etc...
I just want to setup my mx records or what should I setup MX or TXT? I
want something simple.
Iam running exchange only for my email purpose and no one else, very
simple email server using exchange.
Where and how, thanks

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of jpinkerton
Sent: Sunday, August 22, 2004 2:42 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Bind - issues with TXT and CNAME


----- Original Message -----
From: "Angus McIntyre" <angus@pobox.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 21, 2004 5:46 PM
Subject: [spf-help] Bind - issues with TXT and CNAME


> Following a recent flood of bounces triggered by a pharmacy spammer
> forging random addresses at two of my domains in their 'From:' lines,
> I decided to move to SPF.
>
> As a newbie to SPF and a non-expert in DNS, I used the SPF Wizard to
> generate the relevant records. My zone file looks something like:
>
> example.net. IN SOA ns.foobar.com.
hostmaster.foobar.com.
(
> 1068820938
> 10800
> 3600
> 604800
> 1D )
> example.net. IN NS ns.foobar.com.
> example.net. IN A 123.123.123.123
> mail.example.net. IN CNAME example.net.
> www.example.net. IN CNAME example.net.
> example.net. IN MX 10 mail.example.net.
> example.net. IN NS ns3.example.org.
>
> and the SPF wizard recommended adding:
>
> example.net. IN TXT "v=spf1 a mx -all"
> mail.example.net. IN TXT "v=spf1 a -all"
> ns.foobar.com. IN TXT "v=spf1 a -all"
>
> ('example.net' and 'ns.foobar.com' live at the same IP; 'example.net'
> and 'foobar.com' are, of course, not their real names).
>
> I added the TXT records, duly respecting the Wizard's warnings about
> not making a TXT record the last thing in the zone file, and reloaded
> the zone file.
>
> This appeared to cause problems; the primary server for the domain
> ('ns.foobar.com') didn't seem to be giving back useful information for

> that domain, and - to judge by the various SPF testers - the SPF
> record didn't seem to have 'taken'.
>
> I rolled back the zone file and re-inserted the records, this time
> using a web-based DNS administration tool instead of 'vi'. When I
> attempted to save the record:
>
> mail.example.net. IN TXT "v=spf1 a -all"
>
> The web-based tool objected, telling me that I couldn't create a TXT
> record with the same identifier as an alias (i.e. a CNAME).
>
> Leaving that record out and reloading the file appeared to resolve the

> DNS issues and allow SPF to work correctly (according to the SPF
> testers linked from POBox's SPF pages).
>
> My questions are: was the Wizard wrong to recommend that particular
> TXT record, and is my SPF setup complete without it? It seems -
> thinking about it - as if the record would be redundant, and the trace

> from the SPF tools appears to confirm this. But I'd like to be sure
> that this is the case and that I have everything right before I go
> SPF'ing my other domains.


Cname's are generally a bad thing. Remove the CNAME record and insert a
proper A record for the "www." and "mail." and then you will find that
everything will work just fine :-) I notice that you added the TXT
records at the end of the file, so be sure there is a newline after the
last one.
(see website)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

You should goto one of the websites and run the wizard which creates the
TXT file for you, then you import that into your DNS record. The DNS
should be the public facing DNS server (maybe your ISP or whoever holds
your public MX record). This is not needed if the server is only for
internal use.

Here are two links, I found the MS one a little easier to understand for
me but they are basically the same.

http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
http://spf.pobox.com/index.html

And a HOWTO for Win2000/2003 DNS servers:
http://www.jhsoft.com/tutor/spf.asp

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Bennyc
Sent: Saturday, August 21, 2004 11:32 PM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Bind - issues with TXT and CNAME

an someone help me iam a newbie and I don't know what the heck is going
on with this SPF stuff, forgery, etc...
I just want to setup my mx records or what should I setup MX or TXT? I
want something simple.
Iam running exchange only for my email purpose and no one else, very
simple email server using exchange.
Where and how, thanks

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of jpinkerton
Sent: Sunday, August 22, 2004 2:42 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Bind - issues with TXT and CNAME


----- Original Message -----
From: "Angus McIntyre" <angus@pobox.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 21, 2004 5:46 PM
Subject: [spf-help] Bind - issues with TXT and CNAME


> Following a recent flood of bounces triggered by a pharmacy spammer
> forging random addresses at two of my domains in their 'From:' lines,
> I decided to move to SPF.
>
> As a newbie to SPF and a non-expert in DNS, I used the SPF Wizard to
> generate the relevant records. My zone file looks something like:
>
> example.net. IN SOA ns.foobar.com.
hostmaster.foobar.com.
(
> 1068820938
> 10800
> 3600
> 604800
> 1D )
> example.net. IN NS ns.foobar.com.
> example.net. IN A 123.123.123.123
> mail.example.net. IN CNAME example.net.
> www.example.net. IN CNAME example.net.
> example.net. IN MX 10 mail.example.net.
> example.net. IN NS ns3.example.org.
>
> and the SPF wizard recommended adding:
>
> example.net. IN TXT "v=spf1 a mx -all"
> mail.example.net. IN TXT "v=spf1 a -all"
> ns.foobar.com. IN TXT "v=spf1 a -all"
>
> ('example.net' and 'ns.foobar.com' live at the same IP; 'example.net'
> and 'foobar.com' are, of course, not their real names).
>
> I added the TXT records, duly respecting the Wizard's warnings about
> not making a TXT record the last thing in the zone file, and reloaded
> the zone file.
>
> This appeared to cause problems; the primary server for the domain
> ('ns.foobar.com') didn't seem to be giving back useful information for

> that domain, and - to judge by the various SPF testers - the SPF
> record didn't seem to have 'taken'.
>
> I rolled back the zone file and re-inserted the records, this time
> using a web-based DNS administration tool instead of 'vi'. When I
> attempted to save the record:
>
> mail.example.net. IN TXT "v=spf1 a -all"
>
> The web-based tool objected, telling me that I couldn't create a TXT
> record with the same identifier as an alias (i.e. a CNAME).
>
> Leaving that record out and reloading the file appeared to resolve the

> DNS issues and allow SPF to work correctly (according to the SPF
> testers linked from POBox's SPF pages).
>
> My questions are: was the Wizard wrong to recommend that particular
> TXT record, and is my SPF setup complete without it? It seems -
> thinking about it - as if the record would be redundant, and the trace

> from the SPF tools appears to confirm this. But I'd like to be sure
> that this is the case and that I have everything right before I go
> SPF'ing my other domains.


Cname's are generally a bad thing. Remove the CNAME record and insert a
proper A record for the "www." and "mail." and then you will find that
everything will work just fine :-) I notice that you added the TXT
records at the end of the file, so be sure there is a newline after the
last one.
(see website)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

<quote>Some domains have a CNAME record for their WWW server that requires
an extra DNS lookup, which slightly delays the initial access to the website
and use extra bandwidth. </quote> dnsreport.com

It's not much - but we need all the help we can get ;-)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492#

----- Original Message -----
From: "Koen Martens" <spf@metro.cx>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 21, 2004 8:59 PM
Subject: Re: [spf-help] Bind - issues with TXT and CNAME


> On Sat, Aug 21, 2004 at 11:46:58AM -0400, Angus McIntyre wrote:
> >
> > example.net. IN SOA ns.foobar.com.
hostmaster.foobar.com. (
> > 1068820938
> > 10800
> > 3600
> > 604800
> > 1D )
> > example.net. IN NS ns.foobar.com.
> > example.net. IN A 123.123.123.123
> > mail.example.net. IN CNAME example.net.
> > www.example.net. IN CNAME example.net.
> > example.net. IN MX 10 mail.example.net.
> > example.net. IN NS ns3.example.org.
> >
> > and the SPF wizard recommended adding:
> >
> > example.net. IN TXT "v=spf1 a mx -all"
> > mail.example.net. IN TXT "v=spf1 a -all"
> > ns.foobar.com. IN TXT "v=spf1 a -all"
>
> Ok, see my other post regarding cname's, furthermore i'd like to point
> out that if you add another domain, eg:
>
> some.example.net. IN A 1.2.3.4
>
> then you need a TXT record for some.example.net too, or else spammers
> might just use that domain. Furthermore, if you're really paranoid, you
> might want to publish spf for the wildcard (*) domain, just to protect
> imakethisupasigo.example.net or whatever.example.net, although most
> MTA's will reject mail from non-existent domains anyway.
>
> Koen
>
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com