Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
SPF beginner
martin at merlinconsulting
Sep 10, 2004, 5:04 PM
Post #1 of 5 (2316 views)
Permalink
Hi,

I'm just learning, how to setup a spf record for our domains. Fortunately, we're using
bind and the dns updates for a few hundret domains might not be an nightmare.

This is an example:

The domain martinschaible.ch has an mail-server called mail.merlinconsulting.ch.

The spf record for bind looks like this:

martinschaible.ch. IN TXT "v=spf1 mx ptr -all"

My questions are:
- Subdomains like my.martinschaible.ch are included by the ptr switch. Is this a
chance to create a fake sender by a spammer eg. myspam.martinschaible.ch?

- What happens, if i have to use an different smtp server on a business trip? Let's say, i
use local isp in japan and i must use their servers to send/receive mails. This means i have to change the record
to martinschaible.ch. IN TXT "v=spf1 mx ptr -all include:sushi.com". If yes, this looks not
really practical...

Thanks a lot.




--

Mit freundlichen GrĂ¼ssen

--------------------------------------------
Merlin Consulting
Martin Schaible
Bahnhofstrasse 27
CH-8702 Zollikon

Phone: +41 1 391 30 00
Fax: +41 1 391 32 49

Mail: mailto:wizard@merlinconsulting.ch
URL: http://www.merlinconsulting.ch
Support: http://support.merlinconsulting.ch

GPS: N47 20.235 E8 34.226
--------------------------------------------
News - Neue Produkte:

.:. Kiwi Syslog Monitor
.:. Paessler GmbH
.:. Sawmill Loganalyzer
--------------------------------------------

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF beginner [ In reply to ]
spf at metro
Sep 11, 2004, 3:25 AM
Post #2 of 5 (2254 views)
Permalink
Hello,

On Sat, Sep 11, 2004 at 02:04:21AM +0200, Martin Schaible wrote:
> I'm just learning, how to setup a spf record for our domains. Fortunately, we're using
> bind and the dns updates for a few hundret domains might not be an nightmare.
>
> This is an example:
>
> The domain martinschaible.ch has an mail-server called mail.merlinconsulting.ch.
>
> The spf record for bind looks like this:
>
> martinschaible.ch. IN TXT "v=spf1 mx ptr -all"
>
> My questions are:
> - Subdomains like my.martinschaible.ch are included by the ptr switch. Is this a
> chance to create a fake sender by a spammer eg. myspam.martinschaible.ch?

Well, the ptr mechanism works as follows: all the PTR records for the
client ip are looked up. Then, all the A records for those PTR records
are looked up, and if one of these ends in martinschaible.ch AND the ip
of it matches the client ip, then the mechanism matches.

So a spammer would need to be able to modify the dns server for
martinschaible.ch to abuse the ptr mechanism, at which point you have
far greater troubles imho.

> - What happens, if i have to use an different smtp server on a business trip? Let's say, i
> use local isp in japan and i must use their servers to send/receive mails. This means i have to change the record
> to martinschaible.ch. IN TXT "v=spf1 mx ptr -all include:sushi.com". If yes, this looks not
> really practical...

This is as impractical as you think, what with all the dns caching all
around going on and so. I think you really want to get some submission
service up on your own MTA's, which you can use from abroad. Some
examples: smtp-auth, webmail, ..

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF beginner [ In reply to ]
orion at deathcon
Sep 12, 2004, 2:00 PM
Post #3 of 5 (2268 views)
Permalink
Interesting point Koen... I have ptr in my SPF TXT
definition, but the reverse lookup of my IP does
not resolve to my domain, it resolves to the uu.net
node name:

user@host:$ host 66.58.75.122
122.75.58.66.in-addr.arpa domain name pointer
node-423a4b7a.sna.onnet.us.uu.net.

In order to make sure my SPF entry works correctly,
should I remove ptr from my TXT enrty?

user@host:$ grep TXT /var/named/pirk.com
IN TXT "v=spf1 ip4:66.58.75.122 a mx ptr ~all"

--
Steve

On Sat, 11 Sep 2004, Koen Martens wrote:

> Hello,
>
> On Sat, Sep 11, 2004 at 02:04:21AM +0200, Martin Schaible wrote:
> > I'm just learning, how to setup a spf record for our domains. Fortunately, we're using
> > bind and the dns updates for a few hundret domains might not be an nightmare.
> >
> > This is an example:
> >
> > The domain martinschaible.ch has an mail-server called mail.merlinconsulting.ch.
> >
> > The spf record for bind looks like this:
> >
> > martinschaible.ch. IN TXT "v=spf1 mx ptr -all"
> >
> > My questions are:
> > - Subdomains like my.martinschaible.ch are included by the ptr switch. Is this a
> > chance to create a fake sender by a spammer eg. myspam.martinschaible.ch?
>
> Well, the ptr mechanism works as follows: all the PTR records for the
> client ip are looked up. Then, all the A records for those PTR records
> are looked up, and if one of these ends in martinschaible.ch AND the ip
> of it matches the client ip, then the mechanism matches.
>
> So a spammer would need to be able to modify the dns server for
> martinschaible.ch to abuse the ptr mechanism, at which point you have
> far greater troubles imho.
>
> > - What happens, if i have to use an different smtp server on a business trip? Let's say, i
> > use local isp in japan and i must use their servers to send/receive mails. This means i have to change the record
> > to martinschaible.ch. IN TXT "v=spf1 mx ptr -all include:sushi.com". If yes, this looks not
> > really practical...
>
> This is as impractical as you think, what with all the dns caching all
> around going on and so. I think you really want to get some submission
> service up on your own MTA's, which you can use from abroad. Some
> examples: smtp-auth, webmail, ..
>
> Koen
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF beginner [ In reply to ]
spf at metro
Sep 12, 2004, 2:47 PM
Post #4 of 5 (2288 views)
Permalink
Hi Steve,

You can greatly simplify your spf record to "v=spf1 a ~all", let's see
why:

a resolves pirk.com and checks if the client ip matches the ip for
pirk.com, pirk.com resolves to 66.58.75.122.

The ip4 mechanism mentions this ip explicitly, which is already covered
by the 'a', the a mechanism is shorter in this case so you'd better
leave out the ip4 mech.

Furthermore, you have the mx mechanism. An mx lookup for pirk.com
returns orion.pirk.com, which in turn resolves to 66.58.75.122 again, so
it is already covered by the 'a'.

Now for the ptr, it is irrelevant as indeed none of the PTR records for
66.58.75.122 end in pirk.com.

Koen

On Sun, Sep 12, 2004 at 02:00:34PM -0700, Steve Pirk wrote:
> Interesting point Koen... I have ptr in my SPF TXT
> definition, but the reverse lookup of my IP does
> not resolve to my domain, it resolves to the uu.net
> node name:
>
> user@host:$ host 66.58.75.122
> 122.75.58.66.in-addr.arpa domain name pointer
> node-423a4b7a.sna.onnet.us.uu.net.
>
> In order to make sure my SPF entry works correctly,
> should I remove ptr from my TXT enrty?
>
> user@host:$ grep TXT /var/named/pirk.com
> IN TXT "v=spf1 ip4:66.58.75.122 a mx ptr ~all"
>
> --
> Steve
>
> On Sat, 11 Sep 2004, Koen Martens wrote:
>
> > Hello,
> >
> > On Sat, Sep 11, 2004 at 02:04:21AM +0200, Martin Schaible wrote:
> > > I'm just learning, how to setup a spf record for our domains. Fortunately, we're using
> > > bind and the dns updates for a few hundret domains might not be an nightmare.
> > >
> > > This is an example:
> > >
> > > The domain martinschaible.ch has an mail-server called mail.merlinconsulting.ch.
> > >
> > > The spf record for bind looks like this:
> > >
> > > martinschaible.ch. IN TXT "v=spf1 mx ptr -all"
> > >
> > > My questions are:
> > > - Subdomains like my.martinschaible.ch are included by the ptr switch. Is this a
> > > chance to create a fake sender by a spammer eg. myspam.martinschaible.ch?
> >
> > Well, the ptr mechanism works as follows: all the PTR records for the
> > client ip are looked up. Then, all the A records for those PTR records
> > are looked up, and if one of these ends in martinschaible.ch AND the ip
> > of it matches the client ip, then the mechanism matches.
> >
> > So a spammer would need to be able to modify the dns server for
> > martinschaible.ch to abuse the ptr mechanism, at which point you have
> > far greater troubles imho.
> >
> > > - What happens, if i have to use an different smtp server on a business trip? Let's say, i
> > > use local isp in japan and i must use their servers to send/receive mails. This means i have to change the record
> > > to martinschaible.ch. IN TXT "v=spf1 mx ptr -all include:sushi.com". If yes, this looks not
> > > really practical...
> >
> > This is as impractical as you think, what with all the dns caching all
> > around going on and so. I think you really want to get some submission
> > service up on your own MTA's, which you can use from abroad. Some
> > examples: smtp-auth, webmail, ..
> >
> > Koen
> >
> > --
> > K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> > Networking, embedded systems, unix expertise, artificial intelligence.
> > Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> > Wondering about the funny attachment your mail program
> > can't read? Visit http://www.openpgp.org/
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF beginner [ In reply to ]
orion at deathcon
Sep 12, 2004, 6:08 PM
Post #5 of 5 (2269 views)
Permalink
Thanks Koen! Makes perfect sense now :-)

--
Steve

On Sun, 12 Sep 2004, Koen Martens wrote:

> Hi Steve,
>
> You can greatly simplify your spf record to "v=spf1 a ~all", let's see
> why:
>
> a resolves pirk.com and checks if the client ip matches the ip for
> pirk.com, pirk.com resolves to 66.58.75.122.
>
> The ip4 mechanism mentions this ip explicitly, which is already covered
> by the 'a', the a mechanism is shorter in this case so you'd better
> leave out the ip4 mech.
>
> Furthermore, you have the mx mechanism. An mx lookup for pirk.com
> returns orion.pirk.com, which in turn resolves to 66.58.75.122 again, so
> it is already covered by the 'a'.
>
> Now for the ptr, it is irrelevant as indeed none of the PTR records for
> 66.58.75.122 end in pirk.com.
>
> Koen
>
> On Sun, Sep 12, 2004 at 02:00:34PM -0700, Steve Pirk wrote:
> > Interesting point Koen... I have ptr in my SPF TXT
> > definition, but the reverse lookup of my IP does
> > not resolve to my domain, it resolves to the uu.net
> > node name:
> >
> > user@host:$ host 66.58.75.122
> > 122.75.58.66.in-addr.arpa domain name pointer
> > node-423a4b7a.sna.onnet.us.uu.net.
> >
> > In order to make sure my SPF entry works correctly,
> > should I remove ptr from my TXT enrty?
> >
> > user@host:$ grep TXT /var/named/pirk.com
> > IN TXT "v=spf1 ip4:66.58.75.122 a mx ptr ~all"
> >
> > --
> > Steve
> >
> > On Sat, 11 Sep 2004, Koen Martens wrote:
> >
> > > Hello,
> > >
> > > On Sat, Sep 11, 2004 at 02:04:21AM +0200, Martin Schaible wrote:
> > > > I'm just learning, how to setup a spf record for our domains. Fortunately, we're using
> > > > bind and the dns updates for a few hundret domains might not be an nightmare.
> > > >
> > > > This is an example:
> > > >
> > > > The domain martinschaible.ch has an mail-server called mail.merlinconsulting.ch.
> > > >
> > > > The spf record for bind looks like this:
> > > >
> > > > martinschaible.ch. IN TXT "v=spf1 mx ptr -all"
> > > >
> > > > My questions are:
> > > > - Subdomains like my.martinschaible.ch are included by the ptr switch. Is this a
> > > > chance to create a fake sender by a spammer eg. myspam.martinschaible.ch?
> > >
> > > Well, the ptr mechanism works as follows: all the PTR records for the
> > > client ip are looked up. Then, all the A records for those PTR records
> > > are looked up, and if one of these ends in martinschaible.ch AND the ip
> > > of it matches the client ip, then the mechanism matches.
> > >
> > > So a spammer would need to be able to modify the dns server for
> > > martinschaible.ch to abuse the ptr mechanism, at which point you have
> > > far greater troubles imho.
> > >
> > > > - What happens, if i have to use an different smtp server on a business trip? Let's say, i
> > > > use local isp in japan and i must use their servers to send/receive mails. This means i have to change the record
> > > > to martinschaible.ch. IN TXT "v=spf1 mx ptr -all include:sushi.com". If yes, this looks not
> > > > really practical...
> > >
> > > This is as impractical as you think, what with all the dns caching all
> > > around going on and so. I think you really want to get some submission
> > > service up on your own MTA's, which you can use from abroad. Some
> > > examples: smtp-auth, webmail, ..
> > >
> > > Koen
> > >
> > > --
> > > K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> > > Networking, embedded systems, unix expertise, artificial intelligence.
> > > Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> > > Wondering about the funny attachment your mail program
> > > can't read? Visit http://www.openpgp.org/
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal