Great information here.
In answer to Alan's question "{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}".
This is the suggested configuration of <dyndns.org>. Since they are "supposed" to be providing some Spam and Virus filtering then forwarding on to my MX server.
As Alan mentioned, my MTA does ignore the inbound forgeries when it is operating alone. I only have the problem when attempting to use an "outside" "backup MX server".
So, based on all the good responses I have been getting, I may change my mind on "backup MX servers" that are "not under my control".
-----Original Message-----
From: alan [mailto:spfdiscuss@alandoherty.net]
Sent: Monday, February 15, 2010 10:57 AM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] trouble with spoofed email spf not working
At 14:43 15/02/2010 Monday, Vic wrote:
>> I am curious how you might
>> advise being able to create some redundancy for your mail server without
>> creating this problem.
simply ensure that your backup MX's enforce identical policy for incoming mail as your primaries
{backup MX's not under your direct administrative control should never be used}
ie ensure all use the same DNSBL's
ensure all reject {not bounce} mail to non-existent addresses
ensure all enforce the same SPF checks on inbound email
ensure all perform identical content based filtering {if any}
as for your original question {how to block inbound forgeries of your own domain, SPF isn't even needed for this
{SPF checking is for blocking inbound forgeries of SPF publishing domains, whether yours uses publishes SPF or not}
your MTA's should by policy be able to block all external senders claiming to be you regardless of SPF
{as your own users should only be sending outbound/internal via your submission server {could be the same machine/server but its on port 587 and authenticated not 25}}
so even internal > internal will never be arriving from 'outside'
as for the SPF record
v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all
what Vic said
as according to headers
Received: from month.salem.k12.va.us (month.salem.k12.va.us [67.221.119.199]
so a:month is a syntax error and a:month.salem.k12.va.us == ip4:67.221.119.199/32 so unnecessary and as its in your own domain its unlikely to move without your knowledge
mx:salem.k12.va.us == a:mx1.mailhop.org. a:month.salem.k12.va.us a:mx2.mailhop.org.
so could be better/faster written/read as
v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all
if and only if you send mail out to the Internet via these mailhop.org servers
{its unusual for backup MX's to be used for outbound mail in any way}
{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}
-------------------------------------------
Sender Policy Framework:
http://www.openspf.org [
http://www.openspf.org]
Modify Your Subscription:
http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Archives:
https://www.listbox.com/member/archive/1020/=now RSS Feed:
https://www.listbox.com/member/archive/rss/1020/ Powered by Listbox:
http://www.listbox.com -------------------------------------------
Sender Policy Framework:
http://www.openspf.org [
http://www.openspf.org]
Modify Your Subscription:
http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Archives:
https://www.listbox.com/member/archive/1020/=now RSS Feed:
https://www.listbox.com/member/archive/rss/1020/ Powered by Listbox:
http://www.listbox.com