Kenneth Roberts wrote:
> What is the sending IP, the address of the email server
> or the address of the host originating the mail?
You need all IPs of hosts talking to me when you send
mail to me. You have already found out that these IPs
must be public IPs, not the private IPs behind NAT in
a LAN.
After that it depends, if you send mails always using
one mail provider, e.g., Google Apps, then you need
the sending IPs of Google Apps. They make that easy,
you can include their policy in your policy, compare
<
http://www.openspf.org/Frank_Ellermann/Google>
Extending that example, maybe you sometines also send
mails directly from your "originating hosts" without
using a mail provider such as Google Apps.
Then you'd add the IPs of these hosts to your record.
Because you are in a NATted LAN you'd use the public
IP(s) of this LAN. If this public IP changes often
you likely use DynDNS or a similar provider for your
domain. Then you can write a:your.domain.example in
your SPF record, that covers the public address(es)
of your domain, IPv4 and IPv6.
Putting it all together (Google Apps and your hosts)
you could arrive at (TXT for your.domain.example.):
"v=spf1 a include:aspmx.googlemail.com ~all"
If you have another provider for outbound mail use
another inxlude. If you have more than one provider
use more than one include. And if one of your mail
providers does not offer an "include" it starts to
get interesting - you cannot include something that
doesn't exist.
OTOH this is 2008, more than four years after SPF
was launched, mail providers forcing you to "guess"
their sending IPs are lethally clueless. Guessing
can be fairly simple, but when it's not maybe you
would prefer to find a competent mail provider.
An example how guessing in theory works, with your message:
<
http://article.gmane.org/gmane.mail.spam.spf.help/6287/raw>
| Original-Received: from theibn.com (unknown [67.116.23.194])
| by cygnus.listbox.com (Postfix) with ESMTP id 29D4D93 for
| <spf-help@v2.listbox.com>; Sat, 19 Jul 2008 17:34:18 -0400
Your sending IP in this case was 67.116.23.194.
Checking what names have this IP I find one name:
mail-1.theibn.com
From your message I can't tell which MAIL FROM
addresses you typically use, let's say it's
user@ibn2.com
ibn2.com has two inbound MX servers, cuda-2.ibnto.com
and cuda-1.theibn.com. Often inbound and outbound
services are related, but none of the 2*3=6 IPs for
the inbound servers matches your outbound IP in your
mail. Forced to guess with zero knowledge of your
network I'd try this:
"v=spf1 mx ip4:67.116.20.0/22 ~all"
Based on that ask your admins if they have 1024 IPs,
they will ask back what you are smoking. It covers
all IPs from 67.116.20.0 to 67.116.23.255 (I think,
better check this... :-)
Based on "there are cuda-1 and cuda-2 and mail-1, so
maybe there is also mail-2" you'd find that this is
the case, and a far better SPF record might be:
"v=spf1 a:mail-1.theibn.com a:mail-2.theibn.com ~all"
That removes the expensive MXs assuming that they
are strictly nbound, and never send MAIL FROM you.
The MXs might bounce, but bounces MUST use an empty
MAIL FROM, and you can ignore that for now wrt SPF.
Frank
-------------------------------------------
Sender Policy Framework:
http://www.openspf.org Modify Your Subscription:
http://www.listbox.com/member/ Archives:
https://www.listbox.com/member/archive/1020/=now RSS Feed:
https://www.listbox.com/member/archive/rss/1020/ Powered by Listbox:
http://www.listbox.com