Mailing List Archive: Help verify my SPF record

Help verify my SPF record

Apr 13, 2009, 8:06 PM

Post #1 of 5 (6277 views)

Hi All,
First time I've set SPF records for a domain so I'd appreciate some
input/oversight :-) Could someone verify that I've added everything
correctly?
domain is altaplanning.com

Our e-mail is handled by Google Apps so I'm following their instructions
(here: http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786) and
using include:aspmx.googlemail.com

We send newsletters and announcements through a mailing service so I've
included their IP addresses and server (instructions here:
http://www.icontact.com/help/question.php?ID=145) using: ip4:
74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27 ip4:
216.27.93.0/25 a:icpbounce.com

A form on our website <http://www.altaplanning.com> will also generate
messages to our staff so I've included that server as:
a:DED041.maximumasp.local (pulled this from the message header of a message
I received from the website... I don't think it's right- should it be a
.local address?)

We also have another web host for that I occasionally generate messages from
and I've included it as:a:mirach.lunarpages.com

So the final SPF record looks like this:
v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27 ip4:
216.27.93.0/25 a:icpbounce.com
a:mirach.lunarpages.coma:DED041.maximumasp.local include:
aspmx.googlemail.com ~all

Did I get it right? Input appreciated!

Thanks,
Benjamin

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Help verify my SPF record [ In reply to ]

rob.macgregor at gmail

Apr 13, 2009, 10:59 PM

Post #2 of 5 (6103 views)

Permalink

On Tue, Apr 14, 2009 at 04:06, Benjamin Doyle <bendoyle@altaplanning.com> wrote:
> So the final SPF record looks like this:
> v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27 ip4:
> 216.27.93.0/25 a:icpbounce.com
> a:mirach.lunarpages.com include:
> aspmx.googlemail.com ~all
>
> Did I get it right? Input appreciated!

.local addresses aren't visible across the Internet, so you can drop
that one until you identify it's real IP address (not 192.168.x.x,
10.x.x.x or 172.16.x.x-172.31.x.x).

With that removed the record does validate. However, you'd be better
off listing those remaining 'a' entries as IP addresses if you can:

v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
include:aspmx.googlemail.com ~all

At that point it becomes apparent that icpbounce.com is inside an IP
range you've already listed, so:

v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
include:aspmx.googlemail.com ~all

Finally, if you wanted to lose another DNS lookup the following is identical:

v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
include:_spf.google.com ~all

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Help verify my SPF record [ In reply to ]

bendoyle at altaplanning

Apr 14, 2009, 1:05 PM

Post #3 of 5 (6144 views)

Permalink

Thanks Rob!
The main website host (maximumasp) doesn't seem to care for SPF records (their
help article <http://www.maximumasp.com/support/kb/article.aspx?article=819>)
so I don't think I'll get an accurate IP range for them. Thanks for helping
to clear up the other records!

A big question I've had through this whole process... can there only be one
include: entry in the record? The Setup
Wizard<http://old.openspf.org/wizard.html>was leading me to believe
so, but is there ever a case that you'd want to
have more than one include: and is it possible?

Cheers,
Benjamin

On Mon, Apr 13, 2009 at 10:59 PM, Rob MacGregor <rob.macgregor@gmail.com>wrote:

> On Tue, Apr 14, 2009 at 04:06, Benjamin Doyle <bendoyle@altaplanning.com>
> wrote:
> > So the final SPF record looks like this:
> > v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27ip4:
> > 216.27.93.0/25 a:icpbounce.com
> > a:mirach.lunarpages.com include:
> > aspmx.googlemail.com ~all
> >
> > Did I get it right? Input appreciated!
>
> .local addresses aren't visible across the Internet, so you can drop
> that one until you identify it's real IP address (not 192.168.x.x,
> 10.x.x.x or 172.16.x.x-172.31.x.x).
>
> With that removed the record does validate. However, you'd be better
> off listing those remaining 'a' entries as IP addresses if you can:
>
> v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
> ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
> include:aspmx.googlemail.com ~all
>
> At that point it becomes apparent that icpbounce.com is inside an IP
> range you've already listed, so:
>
> v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
> ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
> include:aspmx.googlemail.com ~all
>
> Finally, if you wanted to lose another DNS lookup the following is
> identical:
>
> v=spf1 ip4:74.202.227.32/27 ip4:216.27.84.64/27 ip4:66.192.165.130/27
> ip4:216.27.93.0/25 ip4:216.27.93.32 ip4:216.97.235.70
> include:_spf.google.com ~all
>
> --
> Please keep list traffic on the list.
>
> Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Help verify my SPF record [ In reply to ]

scott at kitterman

Apr 14, 2009, 2:30 PM

Post #4 of 5 (6108 views)

Permalink

On Tue, 14 Apr 2009 13:05:07 -0700 Benjamin Doyle
<bendoyle@altaplanning.com> wrote:
>A big question I've had through this whole process... can there only be one
>include: entry in the record?

No. The processing limits are related to total DNS lookups and is
described in RFC 4408 10.1. It's somewhat complex to evaluate by hand.
The tests at http://www.kitterman.com/spf/validate.html will give you an
error if you exceed the limit.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Help verify my SPF record [ In reply to ]

rob.macgregor at gmail

Apr 14, 2009, 2:43 PM

Post #5 of 5 (6126 views)

Permalink

On Tue, Apr 14, 2009 at 21:05, Benjamin Doyle <bendoyle@altaplanning.com> wrote:
> Thanks Rob!
> The main website host (maximumasp) doesn't seem to care for SPF records (their
> help article <http://www.maximumasp.com/support/kb/article.aspx?article=819>)
> so I don't think I'll get an accurate IP range for them. Thanks for helping
> to clear up the other records!

I'd ask them for help - that they don't check SPF (and won't set up
SPF records for you) doesn't mean they can't tell you what IP ranges
they send from.

> A big question I've had through this whole process... can there only be one
> include: entry in the record? The Setup
> Wizard<http://old.openspf.org/wizard.html>was leading me to believe
> so, but is there ever a case that you'd want to
> have more than one include: and is it possible?

You can have, and many people do have, multiple include: tags. As
Scott said, there's a limit of 10 DNS lookups and his tool can help
you validate proposed records.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com