Mailing List Archive

SPF, SID and LONG records
I have submitted once before about this and I think I have cleared up MOST of my issues however I am still getting a SPF neutral when submitting my test messages to the port25 checking tool, which I also use for DK and DKIM

All ip's in this record have PTR and are a records of xdomain.com

gvomail.com. 192 IN TXT "spf2.0/pra include:_sid1.gvomai l.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.1 93.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97. 188.252 ip4:12.204.164.117 a ptr mx -all"
gvomail.com. 192 IN TXT "v=spf1 include:_spf1.gvomail.co m include:_spf2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.3 4/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188. 252 ip4:12.204.164.117 a ptr mx -all"

_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"

_sid1.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"

_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"

_sid2.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"

the problem is that I get this response when sending the test engine mail, not all the time but a LOT of the time. Sorry for the length but I wanted to be sure I was being as erbose as possible.

==========================================================
Summary of Results
==========================================================
SPF check: neutral
DomainKeys check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname: g20.gvomail.com
Source IP: 12.132.193.243
mail-from: aaron.m@gvomail.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: neutral (SPF-Result: None)
ID(s) verified: smtp.mail=aaron.m@gvomail.com
DNS record(s):
gvomail.com. 300 IN TXT "spf2.0/pra include:_sid1.gvomail.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 a ptr mx -all"


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
On Wed, Mar 31, 2010 at 07:05, Aaron Moon <aaron.m@gogvo.com> wrote:
> I have submitted once before about this and I think I have cleared up MOST of my issues however I am still getting a SPF neutral when submitting my test messages to the port25 checking tool, which I also use for DK and DKIM
>
> All ip's in this record have PTR and are a records of xdomain.com
>
> gvomail.com.            192     IN      TXT     "spf2.0/pra include:_sid1.gvomai     l.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.1     93.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.     188.252 ip4:12.204.164.117 a ptr mx -all"
> gvomail.com.            192     IN      TXT     "v=spf1 include:_spf1.gvomail.co     m include:_spf2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.3     4/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.     252 ip4:12.204.164.117 a ptr mx -all"

Your SPF record is not visible to all clients because it is too long
to fit in a UDP packet. As a result it has to be retrieved over TCP
and not all servers will do so.

Try creating a third included record _spf3.gvomail.com containing the
other IP addresses. A quick eyeball also shows that you have IP
ranges listed that are already covered by other ranges, I'd strongly
recommend you sanity check your IP ranges to reduce your record size.

I'd also question the presence of "a ptr mx" at the end of the SPF
records for both gvomail.com and _spf1.gvomail.com:

a - You already explicitly list the IP
ptr - You really mean that *any* host ending in gvomail.com is approved?
mx - The MX for gvomail.com is gvomail.com, which you already list

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
top posting for clarity
if publishing both v=spf1 and spf2.0/pra you must also publish spf2.0/mfrom{sender-ids equivalent of sfp1}
as without it sender-id users/checkers will only authenticate pra and will not look at envelope sender
{also termanating pra with -all is bad practice because for example your mail to this list would fail that test i have yet to see any mailinglist work with pra tests {the reason sender-id is a dead-duck}

also if publishing both on gvomail.com.
{or any multiple txt records on one domain}

their max-length combined must be under the udp limit as all txt records must fit in the one response

also as previously advised
ip4 records first
{in your case NO a ptr or mx records as they are redundant}
then includes

send me direct or via the list your ip blocks and I'll write your complete and functional spf records and return them to you as you will see from them more clearly how to fix than any other verbage i send

At 07:05 31/03/2010 Wednesday, Aaron Moon wrote:
>I have submitted once before about this and I think I have cleared up MOST of my issues however I am still getting a SPF neutral when submitting my test messages to the port25 checking tool, which I also use for DK and DKIM
>
>All ip's in this record have PTR and are a records of xdomain.com
>
>gvomail.com. 192 IN TXT "spf2.0/pra include:_sid1.gvomai l.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.1 93.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97. 188.252 ip4:12.204.164.117 a ptr mx -all"
>gvomail.com. 192 IN TXT "v=spf1 include:_spf1.gvomail.co m include:_spf2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.3 4/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188. 252 ip4:12.204.164.117 a ptr mx -all"
>
>_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>
>_sid1.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>
>_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>
>_sid2.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>
>the problem is that I get this response when sending the test engine mail, not all the time but a LOT of the time. Sorry for the length but I wanted to be sure I was being as erbose as possible.
>
>==========================================================
>Summary of Results
>==========================================================
>SPF check: neutral
>DomainKeys check: pass
>DKIM check: pass
>Sender-ID check: pass
>SpamAssassin check: ham
>
>==========================================================
>Details:
>==========================================================
>
>HELO hostname: g20.gvomail.com
>Source IP: 12.132.193.243
>mail-from: aaron.m@gvomail.com
>
>----------------------------------------------------------
>SPF check details:
>----------------------------------------------------------
>Result: neutral (SPF-Result: None)
>ID(s) verified: smtp.mail=aaron.m@gvomail.com
>DNS record(s):
> gvomail.com. 300 IN TXT "spf2.0/pra include:_sid1.gvomail.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 a ptr mx -all"
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
here are the IP blocks

12.132.193.34-37
12.132.193.46-49
12.97.188.252
12.204.164.117
12.68.140.11-18
12.132.193.241-252
12.132.193.191-195
12.97.188.200-245

IN CIDR notation
12.97.188.59
12.204.164.254
12.132.193.34/31
12.132.193.36/31
12.132.193.46/31
12.132.193.48/31
12.97.188.252
12.204.164.117
12.68.140.11
12.68.140.12/30
12.68.140.16/31
12.68.140.18
12.132.193.240/29
12.132.193.248/30
12.132.193.252
12.132.193.191
12.132.193.192/30
12.97.188.200/29
12.132.193.208/28
12.132.193.224/28
12.132.193.240/30
12.132.193.244/31


As far as I know this is the PROPER way to express CIDR for these ip's the single ip's lack the /32 notation to eliminate the number of characters needed in the txt records. I really dont care what spf or sid we use just want to make sure I deploy BOTH so that msn is happy and people using just spf are also happy.




----- Original Message -----
From: "alan" <spfdiscuss@alandoherty.net>
To: spf-help@v2.listbox.com, spf-help@v2.listbox.com
Sent: Wednesday, March 31, 2010 6:35:39 AM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

top posting for clarity
if publishing both v=spf1 and spf2.0/pra you must also publish spf2.0/mfrom{sender-ids equivalent of sfp1}
as without it sender-id users/checkers will only authenticate pra and will not look at envelope sender
{also termanating pra with -all is bad practice because for example your mail to this list would fail that test i have yet to see any mailinglist work with pra tests {the reason sender-id is a dead-duck}

also if publishing both on gvomail.com.
{or any multiple txt records on one domain}

their max-length combined must be under the udp limit as all txt records must fit in the one response

also as previously advised
ip4 records first
{in your case NO a ptr or mx records as they are redundant}
then includes

send me direct or via the list your ip blocks and I'll write your complete and functional spf records and return them to you as you will see from them more clearly how to fix than any other verbage i send

At 07:05 31/03/2010 Wednesday, Aaron Moon wrote:
>I have submitted once before about this and I think I have cleared up MOST of my issues however I am still getting a SPF neutral when submitting my test messages to the port25 checking tool, which I also use for DK and DKIM
>
>All ip's in this record have PTR and are a records of xdomain.com
>
>gvomail.com. 192 IN TXT "spf2.0/pra include:_sid1.gvomai l.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.1 93.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97. 188.252 ip4:12.204.164.117 a ptr mx -all"
>gvomail.com. 192 IN TXT "v=spf1 include:_spf1.gvomail.co m include:_spf2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.3 4/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188. 252 ip4:12.204.164.117 a ptr mx -all"
>
>_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>
>_sid1.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>
>_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>
>_sid2.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>
>the problem is that I get this response when sending the test engine mail, not all the time but a LOT of the time. Sorry for the length but I wanted to be sure I was being as erbose as possible.
>
>==========================================================
>Summary of Results
>==========================================================
>SPF check: neutral
>DomainKeys check: pass
>DKIM check: pass
>Sender-ID check: pass
>SpamAssassin check: ham
>
>==========================================================
>Details:
>==========================================================
>
>HELO hostname: g20.gvomail.com
>Source IP: 12.132.193.243
>mail-from: aaron.m@gvomail.com
>
>----------------------------------------------------------
>SPF check details:
>----------------------------------------------------------
>Result: neutral (SPF-Result: None)
>ID(s) verified: smtp.mail=aaron.m@gvomail.com
>DNS record(s):
> gvomail.com. 300 IN TXT "spf2.0/pra include:_sid1.gvomail.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 a ptr mx -all"
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
At 22:02 31/03/2010 Wednesday, Aaron Moon wrote:
>here are the IP blocks

am i guessing in priority order as it dosn't seem to be numerical?


>12.132.193.34-37
>12.132.193.46-49
>12.97.188.252
>12.204.164.117
>12.68.140.11-18
>12.132.193.241-252
>12.132.193.191-195
>12.97.188.200-245
>
>IN CIDR notation
>12.97.188.59 <<<<where did he come from?



>12.204.164.254
>12.132.193.34/31
>12.132.193.36/31
>12.132.193.46/31
>12.132.193.48/31
>12.97.188.252
>12.204.164.117
>12.68.140.11
>12.68.140.12/30
>12.68.140.16/31
>12.68.140.18

up to here ok {were up to 12.68.140.11-18 in your previous list}

>12.132.193.240/29

it could be fine if you don't mind including 240 {ie if it isn't being used by someone else, or it is but you don't care or you trust them/don't distrust them}

>12.132.193.248/30
>12.132.193.252 {were up to 12.132.193.241-252 in your previous list}



>12.132.193.191
>12.132.193.192/30 {were up to 12.132.193.191-195 in your previous list}
all fine

>12.132.193.208/28
>12.132.193.224/28
>12.132.193.240/30
>12.132.193.244/31

where did these come from ???? they arn't on your previous list

>12.97.188.200/29

this one is the bad apple entirely as its too small but if i assume the above were all typos and remove them and add
12.97.188.208/28
12.97.188.224/28
12.97.188.240/30
12.97.188.244/31
instead it all makes sense

so now to the spf and sender-id records might not be perfect as i will err on the side of getting them inside a udp response and thus might be under-sizing as my math is not 100% on this
but will follow up with better after a wireshark experiment ;)

first the total spf before cutting

v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all
440 chars of data + 12 of start/end markers

now the cuts
for simplicity we go with end first, we can shuffle forward some records later

so taking the smallest logical names to allow for more payload
_fn.gvomail.com. TTL IN TXT v=spf1 payload -all

12 byte header
16byte name
4byte ttl
4byte for rr type/class
2byte rdlength {total response length of all responsed}
leaves 512-38 474
{while doing this found in the rfc it recommends name+spf<450 will ignore above and use that limitation}
http://www.openspf.org/RFC_4408#rsize
{ie 450-16 byte name leaves 434 for spf data}
then per string limit of 255
1byte stringlength
12-18byte overhead for spf1-sender-id start+end characters, data length<243-237
gives 2 strings per response of <243-237 with combined length <408-396 {434-2*13-19bytes}
so we know we have 440 bytes of date to convey and multiple other records in the primary domain so we wish to place as much as humanly possible in the include:domain

so we have to drop at least 32 bytes of data from the string to make it fit in the include
"ip4:12.97.188.59 ip4:12.204.164.254 " just volunteered for the cut so now can whats left be split fairly evenly

"ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18"
"ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31"

ten records each nice
now are they both <243-237 and less than 408-396 when combined....
195 and 209 added makes 401 so might be over limit for sender-id {assuming the 450 from rfc is more accurate than previous calculations}

so now spf v1 is done we use same method for sender-id/mfrom {equivalent to spfv1 on envelope} and sender-id/pra {with no hardfail as pra pass is ok but legit mail will fail too and you never want people to reject based on sender-id/pra

so zone file we will use %{d2} instead of gvomail.com. as it saves precious space in records


gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 include:_sidm1.%{d2} -all"
gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"

now before continuing we check these 3 strings don't exceed length limits
214 total well under

so to solve the potential overflow on the sender-id mfrom we tweak that one record


so now the final zone file is 450 - namelength - number of strings is what total must be less than for success

gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"

235 grand! <450-12-3=435

_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

411 grand! <450-18-2=430

_sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

401 grand! <450-19-2=429

_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"

420 grand! <450-19-2=429


you will note as i saw we had wiggle room i ditched the short dns names
so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
fairly compact IMHO

also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator


>As far as I know this is the PROPER way to express CIDR for these ip's the single ip's lack the /32 notation to eliminate the number of characters needed in the txt records. I really dont care what spf or sid we use just want to make sure I deploy BOTH so that msn is happy and people using just spf are also happy.
>
>
>
>
>----- Original Message -----
>From: "alan" <spfdiscuss@alandoherty.net>
>To: spf-help@v2.listbox.com, spf-help@v2.listbox.com
>Sent: Wednesday, March 31, 2010 6:35:39 AM GMT -06:00 US/Canada Central
>Subject: Re: [spf-help] SPF, SID and LONG records
>
>top posting for clarity
>if publishing both v=spf1 and spf2.0/pra you must also publish spf2.0/mfrom{sender-ids equivalent of sfp1}
>as without it sender-id users/checkers will only authenticate pra and will not look at envelope sender
>{also termanating pra with -all is bad practice because for example your mail to this list would fail that test i have yet to see any mailinglist work with pra tests {the reason sender-id is a dead-duck}
>
>also if publishing both on gvomail.com.
>{or any multiple txt records on one domain}
>
>their max-length combined must be under the udp limit as all txt records must fit in the one response
>
>also as previously advised
>ip4 records first
>{in your case NO a ptr or mx records as they are redundant}
>then includes
>
>send me direct or via the list your ip blocks and I'll write your complete and functional spf records and return them to you as you will see from them more clearly how to fix than any other verbage i send
>
>At 07:05 31/03/2010 Wednesday, Aaron Moon wrote:
>>I have submitted once before about this and I think I have cleared up MOST of my issues however I am still getting a SPF neutral when submitting my test messages to the port25 checking tool, which I also use for DK and DKIM
>>
>>All ip's in this record have PTR and are a records of xdomain.com
>>
>>gvomail.com. 192 IN TXT "spf2.0/pra include:_sid1.gvomai l.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.1 93.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97. 188.252 ip4:12.204.164.117 a ptr mx -all"
>>gvomail.com. 192 IN TXT "v=spf1 include:_spf1.gvomail.co m include:_spf2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.3 4/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188. 252 ip4:12.204.164.117 a ptr mx -all"
>>
>>_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>>
>>_sid1.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ptr a mx -all"
>>
>>_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>>
>>_sid2.gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.132.193.208/28 ip4:12.132.193.224/28 ip4:12.132.193.240/30 ip4:12.132.193.244/31 ptr a mx -all"
>>
>>the problem is that I get this response when sending the test engine mail, not all the time but a LOT of the time. Sorry for the length but I wanted to be sure I was being as erbose as possible.
>>
>>==========================================================
>>Summary of Results
>>==========================================================
>>SPF check: neutral
>>DomainKeys check: pass
>>DKIM check: pass
>>Sender-ID check: pass
>>SpamAssassin check: ham
>>
>>==========================================================
>>Details:
>>==========================================================
>>
>>HELO hostname: g20.gvomail.com
>>Source IP: 12.132.193.243
>>mail-from: aaron.m@gvomail.com
>>
>>----------------------------------------------------------
>>SPF check details:
>>----------------------------------------------------------
>>Result: neutral (SPF-Result: None)
>>ID(s) verified: smtp.mail=aaron.m@gvomail.com
>>DNS record(s):
>> gvomail.com. 300 IN TXT "spf2.0/pra include:_sid1.gvomail.com include:_sid2.gvomail.com ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 ip4:.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 a ptr mx -all"
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
executive summary for the non-readers

btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert

>so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>
>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>
>235 grand! <450-12-3=435
>
>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>411 grand! <450-18-2=430
>
>_sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>401 grand! <450-19-2=429
>
>_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>
>420 grand! <450-19-2=429
>
>
>you will note as i saw we had wiggle room i ditched the short dns names
>so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>fairly compact IMHO
>
>also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
I am entering this into a BIND dns server so when you use
gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
what is the include:_spf1.%{d2} mean? or should i be doing this

gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"


also where you have

>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"


I assume the blank for the second txt record is supposed to be

_spf2.gvomail.com. jus want to be sure before I commit these records on a live system.

-Aaron

----- Original Message -----
From: "alan" <spfdiscuss@alandoherty.net>
To: spf-help@v2.listbox.com
Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

executive summary for the non-readers

btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert

>so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>
>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>
>235 grand! <450-12-3=435
>
>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>411 grand! <450-18-2=430
>
>_sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>401 grand! <450-19-2=429
>
>_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>
>420 grand! <450-19-2=429
>
>
>you will note as i saw we had wiggle room i ditched the short dns names
>so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>fairly compact IMHO
>
>also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>I am entering this into a BIND dns server so when you use
>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>what is the include:_spf1.%{d2} mean? or should i be doing this

it is entered just as typed
%{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
it is only interpereted by the spf client when reading the record so to bind its just palain text


>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"

this is also doable but increases the number of characters used unneccisarilly



>also where you have
>
>>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>
>I assume the blank for the second txt record is supposed to be
>
>_spf2.gvomail.com. jus want to be sure before I commit these records on a live system.

no on bind the name is entered once all following entries are added to that name till a new name is entered
heres a tiny excerpt from my own dns server to illustrate

$TTL 86400 ; 1 day
@ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
2009122000 ; serial
43200 ; refresh (12 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS puck.nether.net.
NS ns1.ssol.ie.
NS ns1.alandoherty.net.
NS ns1.twisted4life.com.
NS ns2.ssol.ie.
NS ns2.alandoherty.net.
NS ns3.alandoherty.net.
A 195.2.202.63
MX 5 mx0.alandoherty.net.
MX 10 mx10.alandoherty.net.
MX 20 mx20.alandoherty.net.
MX 30 mx30.alandoherty.net.
TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
RP . alan.gothic.ie.
RP . _contact.alandoherty.net.
$ORIGIN alandoherty.net.
c-esmtpsa 3600 A 195.2.202.63

MX 0 .
TXT "v=spf1 -all"
RP . _contact
camera A 193.120.128.254
MX 0 .
TXT "v=spf1 -all"
RP . alan.gothic.ie.
flatsvr 3600 A 193.120.238.109
MX 10 mx20
MX 20 mx10
MX 30 mx30
TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
RP . alan.gothic.ie.
RP . _contact



>-Aaron
>
>----- Original Message -----
>From: "alan" <spfdiscuss@alandoherty.net>
>To: spf-help@v2.listbox.com
>Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>Subject: Re: [spf-help] SPF, SID and LONG records
>
>executive summary for the non-readers
>
>btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>
>>so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>
>>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>
>>235 grand! <450-12-3=435
>>
>>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>>411 grand! <450-18-2=430
>>
>>_sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>>401 grand! <450-19-2=429
>>
>>_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>
>>420 grand! <450-19-2=429
>>
>>
>>you will note as i saw we had wiggle room i ditched the short dns names
>>so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>fairly compact IMHO
>>
>>also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
I have them up now and this is what I get when i use the check tool at port25

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check: fail
DomainKeys check: pass
DKIM check: pass
Sender-ID check: neutral
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname: g47.gvomail.com
Source IP: 12.97.188.212
mail-from: aaron.m@gvomail.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: fail (not permitted)
ID(s) verified: smtp.mail=aaron.m@gvomail.com
DNS record(s):
gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
_sidm1.gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
_sidm1.gvomail.com. 300 IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"




from my understanding of BIND doesn't having multiple gvomail.com. 300 IN TXT mean that every 300 seconds it will rotate through one? because the check results seem to change every 300 seconds
----- Original Message -----
From: "alan" <spfdiscuss@alandoherty.net>
To: spf-help@v2.listbox.com
Sent: Monday, April 5, 2010 5:10:53 AM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>I am entering this into a BIND dns server so when you use
>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>what is the include:_spf1.%{d2} mean? or should i be doing this

it is entered just as typed
%{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
it is only interpereted by the spf client when reading the record so to bind its just palain text


>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"

this is also doable but increases the number of characters used unneccisarilly



>also where you have
>
>>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>
>I assume the blank for the second txt record is supposed to be
>
>_spf2.gvomail.com. jus want to be sure before I commit these records on a live system.

no on bind the name is entered once all following entries are added to that name till a new name is entered
heres a tiny excerpt from my own dns server to illustrate

$TTL 86400 ; 1 day
@ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
2009122000 ; serial
43200 ; refresh (12 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS puck.nether.net.
NS ns1.ssol.ie.
NS ns1.alandoherty.net.
NS ns1.twisted4life.com.
NS ns2.ssol.ie.
NS ns2.alandoherty.net.
NS ns3.alandoherty.net.
A 195.2.202.63
MX 5 mx0.alandoherty.net.
MX 10 mx10.alandoherty.net.
MX 20 mx20.alandoherty.net.
MX 30 mx30.alandoherty.net.
TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
RP . alan.gothic.ie.
RP . _contact.alandoherty.net.
$ORIGIN alandoherty.net.
c-esmtpsa 3600 A 195.2.202.63

MX 0 .
TXT "v=spf1 -all"
RP . _contact
camera A 193.120.128.254
MX 0 .
TXT "v=spf1 -all"
RP . alan.gothic.ie.
flatsvr 3600 A 193.120.238.109
MX 10 mx20
MX 20 mx10
MX 30 mx30
TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
RP . alan.gothic.ie.
RP . _contact



>-Aaron
>
>----- Original Message -----
>From: "alan" <spfdiscuss@alandoherty.net>
>To: spf-help@v2.listbox.com
>Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>Subject: Re: [spf-help] SPF, SID and LONG records
>
>executive summary for the non-readers
>
>btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>
>>so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>
>>gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>
>>235 grand! <450-12-3=435
>>
>>_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>>411 grand! <450-18-2=430
>>
>>_sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>>401 grand! <450-19-2=429
>>
>>_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>
>>420 grand! <450-19-2=429
>>
>>
>>you will note as i saw we had wiggle room i ditched the short dns names
>>so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>fairly compact IMHO
>>
>>also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
Aaron,
Here's what I see:

aculver@aculver:~$ host -t txt _spf1.gvomail.com
;; Truncated, retrying in TCP mode.
_spf1.gvomail.com descriptive text "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
_spf1.gvomail.com descriptive text "ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191
ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28
ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

It seems your records are still too long for UDP. This may be why port25
isn't including _spf1.gvomail.com in its list of DNS records.

Maybe try moving them to multiple names, as opposed to multiple records
under the same name.

gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all"

_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all"

_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.12/30
ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all"

_spf3.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.192/30
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

(I think I copied/pasted correctly, but double check for yourself. Do
the same for your Sender-ID records.)

Andrew



Aaron Moon wrote:
> I have them up now and this is what I get when i use the check tool at port25
>
> The Port25 Solutions, Inc. team
>
> ==========================================================
> Summary of Results
> ==========================================================
> SPF check: fail
> DomainKeys check: pass
> DKIM check: pass
> Sender-ID check: neutral
> SpamAssassin check: ham
>
> ==========================================================
> Details:
> ==========================================================
>
> HELO hostname: g47.gvomail.com
> Source IP: 12.97.188.212
> mail-from: aaron.m@gvomail.com
>
> ----------------------------------------------------------
> SPF check details:
> ----------------------------------------------------------
> Result: fail (not permitted)
> ID(s) verified: smtp.mail=aaron.m@gvomail.com
> DNS record(s):
> gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
> gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
> gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
> _sidm1.gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
> _sidm1.gvomail.com. 300 IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>
>
>
> from my understanding of BIND doesn't having multiple gvomail.com. 300 IN TXT mean that every 300 seconds it will rotate through one? because the check results seem to change every 300 seconds
> ----- Original Message -----
> From: "alan" <spfdiscuss@alandoherty.net>
> To: spf-help@v2.listbox.com
> Sent: Monday, April 5, 2010 5:10:53 AM GMT -06:00 US/Canada Central
> Subject: Re: [spf-help] SPF, SID and LONG records
>
> At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>> I am entering this into a BIND dns server so when you use
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>> what is the include:_spf1.%{d2} mean? or should i be doing this
>
> it is entered just as typed
> %{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
> it is only interpereted by the spf client when reading the record so to bind its just palain text
>
>
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"
>
> this is also doable but increases the number of characters used unneccisarilly
>
>
>
>> also where you have
>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>> I assume the blank for the second txt record is supposed to be
>>
>> _spf2.gvomail.com. jus want to be sure before I commit these records on a live system.
>
> no on bind the name is entered once all following entries are added to that name till a new name is entered
> heres a tiny excerpt from my own dns server to illustrate
>
> $TTL 86400 ; 1 day
> @ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
> 2009122000 ; serial
> 43200 ; refresh (12 hours)
> 7200 ; retry (2 hours)
> 2419200 ; expire (4 weeks)
> 86400 ; minimum (1 day)
> )
> NS puck.nether.net.
> NS ns1.ssol.ie.
> NS ns1.alandoherty.net.
> NS ns1.twisted4life.com.
> NS ns2.ssol.ie.
> NS ns2.alandoherty.net.
> NS ns3.alandoherty.net.
> A 195.2.202.63
> MX 5 mx0.alandoherty.net.
> MX 10 mx10.alandoherty.net.
> MX 20 mx20.alandoherty.net.
> MX 30 mx30.alandoherty.net.
> TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> ; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact.alandoherty.net.
> $ORIGIN alandoherty.net.
> c-esmtpsa 3600 A 195.2.202.63
>
> MX 0 .
> TXT "v=spf1 -all"
> RP . _contact
> camera A 193.120.128.254
> MX 0 .
> TXT "v=spf1 -all"
> RP . alan.gothic.ie.
> flatsvr 3600 A 193.120.238.109
> MX 10 mx20
> MX 20 mx10
> MX 30 mx30
> TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact
>
>
>
>> -Aaron
>>
>> ----- Original Message -----
>> From: "alan" <spfdiscuss@alandoherty.net>
>> To: spf-help@v2.listbox.com
>> Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>> Subject: Re: [spf-help] SPF, SID and LONG records
>>
>> executive summary for the non-readers
>>
>> btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>>
>>> so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>>
>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>>
>>> 235 grand! <450-12-3=435
>>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 411 grand! <450-18-2=430
>>>
>>> _sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 401 grand! <450-19-2=429
>>>
>>> _sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>>
>>> 420 grand! <450-19-2=429
>>>
>>>
>>> you will note as i saw we had wiggle room i ditched the short dns names
>>> so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>> fairly compact IMHO
>>>
>>> also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
I tried this before with Alan's help. This was what I had previously, but again it seems broken......
it seems that this is round robining through all the gvomail.com. TXT records, so every 300 seconds i get spf fail but SID pass and then 300 seconds later i get SPF pass and sid fail..


:(

This is BIND on cpanel so the ability to follow some of Alan's requests were not exactly doable in the format provided.

-Aaron
----- Original Message -----
From: "Andrew Culver" <aculver@uwo.ca>
To: spf-help@v2.listbox.com
Sent: Monday, April 5, 2010 12:09:36 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

Aaron,
Here's what I see:

aculver@aculver:~$ host -t txt _spf1.gvomail.com
;; Truncated, retrying in TCP mode.
_spf1.gvomail.com descriptive text "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
_spf1.gvomail.com descriptive text "ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191
ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28
ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

It seems your records are still too long for UDP. This may be why port25
isn't including _spf1.gvomail.com in its list of DNS records.

Maybe try moving them to multiple names, as opposed to multiple records
under the same name.

gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all"

_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all"

_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.12/30
ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all"

_spf3.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.192/30
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

(I think I copied/pasted correctly, but double check for yourself. Do
the same for your Sender-ID records.)

Andrew



Aaron Moon wrote:
> I have them up now and this is what I get when i use the check tool at port25
>
> The Port25 Solutions, Inc. team
>
> ==========================================================
> Summary of Results
> ==========================================================
> SPF check: fail
> DomainKeys check: pass
> DKIM check: pass
> Sender-ID check: neutral
> SpamAssassin check: ham
>
> ==========================================================
> Details:
> ==========================================================
>
> HELO hostname: g47.gvomail.com
> Source IP: 12.97.188.212
> mail-from: aaron.m@gvomail.com
>
> ----------------------------------------------------------
> SPF check details:
> ----------------------------------------------------------
> Result: fail (not permitted)
> ID(s) verified: smtp.mail=aaron.m@gvomail.com
> DNS record(s):
> gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
> gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
> gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
> _sidm1.gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
> _sidm1.gvomail.com. 300 IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>
>
>
> from my understanding of BIND doesn't having multiple gvomail.com. 300 IN TXT mean that every 300 seconds it will rotate through one? because the check results seem to change every 300 seconds
> ----- Original Message -----
> From: "alan" <spfdiscuss@alandoherty.net>
> To: spf-help@v2.listbox.com
> Sent: Monday, April 5, 2010 5:10:53 AM GMT -06:00 US/Canada Central
> Subject: Re: [spf-help] SPF, SID and LONG records
>
> At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>> I am entering this into a BIND dns server so when you use
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>> what is the include:_spf1.%{d2} mean? or should i be doing this
>
> it is entered just as typed
> %{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
> it is only interpereted by the spf client when reading the record so to bind its just palain text
>
>
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"
>
> this is also doable but increases the number of characters used unneccisarilly
>
>
>
>> also where you have
>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>> I assume the blank for the second txt record is supposed to be
>>
>> _spf2.gvomail.com. jus want to be sure before I commit these records on a live system.
>
> no on bind the name is entered once all following entries are added to that name till a new name is entered
> heres a tiny excerpt from my own dns server to illustrate
>
> $TTL 86400 ; 1 day
> @ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
> 2009122000 ; serial
> 43200 ; refresh (12 hours)
> 7200 ; retry (2 hours)
> 2419200 ; expire (4 weeks)
> 86400 ; minimum (1 day)
> )
> NS puck.nether.net.
> NS ns1.ssol.ie.
> NS ns1.alandoherty.net.
> NS ns1.twisted4life.com.
> NS ns2.ssol.ie.
> NS ns2.alandoherty.net.
> NS ns3.alandoherty.net.
> A 195.2.202.63
> MX 5 mx0.alandoherty.net.
> MX 10 mx10.alandoherty.net.
> MX 20 mx20.alandoherty.net.
> MX 30 mx30.alandoherty.net.
> TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> ; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact.alandoherty.net.
> $ORIGIN alandoherty.net.
> c-esmtpsa 3600 A 195.2.202.63
>
> MX 0 .
> TXT "v=spf1 -all"
> RP . _contact
> camera A 193.120.128.254
> MX 0 .
> TXT "v=spf1 -all"
> RP . alan.gothic.ie.
> flatsvr 3600 A 193.120.238.109
> MX 10 mx20
> MX 20 mx10
> MX 30 mx30
> TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact
>
>
>
>> -Aaron
>>
>> ----- Original Message -----
>> From: "alan" <spfdiscuss@alandoherty.net>
>> To: spf-help@v2.listbox.com
>> Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>> Subject: Re: [spf-help] SPF, SID and LONG records
>>
>> executive summary for the non-readers
>>
>> btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>>
>>> so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>>
>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>>
>>> 235 grand! <450-12-3=435
>>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 411 grand! <450-18-2=430
>>>
>>> _sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 401 grand! <450-19-2=429
>>>
>>> _sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>>
>>> 420 grand! <450-19-2=429
>>>
>>>
>>> you will note as i saw we had wiggle room i ditched the short dns names
>>> so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>> fairly compact IMHO
>>>
>>> also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
Here is an example of what I had feared would happen

dig gvomail.com txt

; <<>> DiG 9.5.1-P3 <<>> gvomail.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51120
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gvomail.com. IN TXT

;; ANSWER SECTION:
gvomail.com. 1 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
gvomail.com. 1 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
gvomail.com. 1 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"

;; Query time: 48 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Apr 5 14:33:04 2010
;; MSG SIZE rcvd: 302


You can see there is 1 second left now after that i get this

dig gvomail.com txt

; <<>> DiG 9.5.1-P3 <<>> gvomail.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35301
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gvomail.com. IN TXT

;; ANSWER SECTION:
gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"

;; Query time: 64 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Apr 5 14:33:05 2010
;; MSG SIZE rcvd: 302



----- Original Message -----
From: "Aaron Moon" <aaron.m@gogvo.com>
To: spf-help@v2.listbox.com
Sent: Monday, April 5, 2010 2:19:26 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

I tried this before with Alan's help. This was what I had previously, but again it seems broken......
it seems that this is round robining through all the gvomail.com. TXT records, so every 300 seconds i get spf fail but SID pass and then 300 seconds later i get SPF pass and sid fail..


:(

This is BIND on cpanel so the ability to follow some of Alan's requests were not exactly doable in the format provided.

-Aaron
----- Original Message -----
From: "Andrew Culver" <aculver@uwo.ca>
To: spf-help@v2.listbox.com
Sent: Monday, April 5, 2010 12:09:36 PM GMT -06:00 US/Canada Central
Subject: Re: [spf-help] SPF, SID and LONG records

Aaron,
Here's what I see:

aculver@aculver:~$ host -t txt _spf1.gvomail.com
;; Truncated, retrying in TCP mode.
_spf1.gvomail.com descriptive text "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
_spf1.gvomail.com descriptive text "ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191
ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28
ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

It seems your records are still too long for UDP. This may be why port25
isn't including _spf1.gvomail.com in its list of DNS records.

Maybe try moving them to multiple names, as opposed to multiple records
under the same name.

gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all"

_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all"

_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.12/30
ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all"

_spf3.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.192/30
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

(I think I copied/pasted correctly, but double check for yourself. Do
the same for your Sender-ID records.)

Andrew



Aaron Moon wrote:
> I have them up now and this is what I get when i use the check tool at port25
>
> The Port25 Solutions, Inc. team
>
> ==========================================================
> Summary of Results
> ==========================================================
> SPF check: fail
> DomainKeys check: pass
> DKIM check: pass
> Sender-ID check: neutral
> SpamAssassin check: ham
>
> ==========================================================
> Details:
> ==========================================================
>
> HELO hostname: g47.gvomail.com
> Source IP: 12.97.188.212
> mail-from: aaron.m@gvomail.com
>
> ----------------------------------------------------------
> SPF check details:
> ----------------------------------------------------------
> Result: fail (not permitted)
> ID(s) verified: smtp.mail=aaron.m@gvomail.com
> DNS record(s):
> gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
> gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
> gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
> _sidm1.gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
> _sidm1.gvomail.com. 300 IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>
>
>
> from my understanding of BIND doesn't having multiple gvomail.com. 300 IN TXT mean that every 300 seconds it will rotate through one? because the check results seem to change every 300 seconds
> ----- Original Message -----
> From: "alan" <spfdiscuss@alandoherty.net>
> To: spf-help@v2.listbox.com
> Sent: Monday, April 5, 2010 5:10:53 AM GMT -06:00 US/Canada Central
> Subject: Re: [spf-help] SPF, SID and LONG records
>
> At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>> I am entering this into a BIND dns server so when you use
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>> what is the include:_spf1.%{d2} mean? or should i be doing this
>
> it is entered just as typed
> %{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
> it is only interpereted by the spf client when reading the record so to bind its just palain text
>
>
>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"
>
> this is also doable but increases the number of characters used unneccisarilly
>
>
>
>> also where you have
>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>> I assume the blank for the second txt record is supposed to be
>>
>> _spf2.gvomail.com. jus want to be sure before I commit these records on a live system.
>
> no on bind the name is entered once all following entries are added to that name till a new name is entered
> heres a tiny excerpt from my own dns server to illustrate
>
> $TTL 86400 ; 1 day
> @ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
> 2009122000 ; serial
> 43200 ; refresh (12 hours)
> 7200 ; retry (2 hours)
> 2419200 ; expire (4 weeks)
> 86400 ; minimum (1 day)
> )
> NS puck.nether.net.
> NS ns1.ssol.ie.
> NS ns1.alandoherty.net.
> NS ns1.twisted4life.com.
> NS ns2.ssol.ie.
> NS ns2.alandoherty.net.
> NS ns3.alandoherty.net.
> A 195.2.202.63
> MX 5 mx0.alandoherty.net.
> MX 10 mx10.alandoherty.net.
> MX 20 mx20.alandoherty.net.
> MX 30 mx30.alandoherty.net.
> TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> ; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact.alandoherty.net.
> $ORIGIN alandoherty.net.
> c-esmtpsa 3600 A 195.2.202.63
>
> MX 0 .
> TXT "v=spf1 -all"
> RP . _contact
> camera A 193.120.128.254
> MX 0 .
> TXT "v=spf1 -all"
> RP . alan.gothic.ie.
> flatsvr 3600 A 193.120.238.109
> MX 10 mx20
> MX 20 mx10
> MX 30 mx30
> TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
> TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
> TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
> RP . alan.gothic.ie.
> RP . _contact
>
>
>
>> -Aaron
>>
>> ----- Original Message -----
>> From: "alan" <spfdiscuss@alandoherty.net>
>> To: spf-help@v2.listbox.com
>> Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>> Subject: Re: [spf-help] SPF, SID and LONG records
>>
>> executive summary for the non-readers
>>
>> btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>>
>>> so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>>
>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>> gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>>
>>> 235 grand! <450-12-3=435
>>>
>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 411 grand! <450-18-2=430
>>>
>>> _sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> 401 grand! <450-19-2=429
>>>
>>> _sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>>
>>> 420 grand! <450-19-2=429
>>>
>>>
>>> you will note as i saw we had wiggle room i ditched the short dns names
>>> so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>> fairly compact IMHO
>>>
>>> also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
On Mon, Apr 5, 2010 at 20:48, Aaron Moon <aaron.m@gogvo.com> wrote:
> Here is an example of what I had feared would happen

_spf1.gvomail.com is still too long for a single UDP record - indeed
it appears to be broken across 2 entries:

_spf1.gvomail.com IN TXT v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18
_spf1.gvomail.com IN TXT ip4:12.132.193.240/29 ip4:12.132.193.248/30
ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all

I'd go with the recommendation that others made about breaking that into 3:

gvomail.com IN TXT v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all

_spf1.gvomail.com IN TXT v=spf1 ip4:12.132.193.34/31
ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all
_spf2.govmail.com IN TXT v=spf1 ip4:12.68.140.12/30
ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all
_spf3.gvomail.com IN TXT v=spf1 ip4:12.132.193.192/30
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all


--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
trying my direct tests now sorry for delay didn't see your reply earlier

gvomail.com

Server: ns1.ns.esat.net
Address: 192.111.39.1

Non-authoritative answer:
gvomail.com text =

"v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
gvomail.com text =

"spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
gvomail.com text =

"spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"

gvomail.com nameserver = ns2.kioskdns.com
gvomail.com nameserver = ns1.kioskdns.com

seems perfect and udp only all 3 responses recieved

ok now for the latter ones

yes _spf1 and _sidp1

are not fitting in a single udp response
_sidm1 is comming through fine though

Server: ns1.ns.esat.net
Address: 192.111.39.1

Non-authoritative answer:
_sidm1.gvomail.com text =

"ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.
193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12
.97.188.240/30 ip4:12.97.188.244/31 -all"
_sidm1.gvomail.com text =

"spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.4
8/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 i
p4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "

gvomail.com nameserver = ns1.kioskdns.com
gvomail.com nameserver = ns2.kioskdns.com


so the math even when conservative is wrong

so now we re-jig

you new replacement parts of zone {for testing immediately {please IM me as it will get it fixed faster}


gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_spf1.%{d2} -all"
IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidp1.%{d2} ?all"
IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"

_spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

_sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"

_sidm1.gvomail.com. leave as-is



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
At 20:19 05/04/2010 Monday, Aaron Moon wrote:
>I tried this before with Alan's help. This was what I had previously, but again it seems broken......
>it seems that this is round robining through all the gvomail.com. TXT records, so every 300 seconds i get spf fail but SID pass and then 300 seconds later i get SPF pass and sid fail..

it isn't round robining its that 2 of the records were still to long for udp see other mail for fix, feel free to contact me directly on msn/yahoo/jabber/icq for quicker fix diagnostic but the new records sent earlier should fit
as the math was off but not greatly as the third longest record makes it intact
so by moving 2 entries on the other two all should now be below this length



>:(
>
>This is BIND on cpanel so the ability to follow some of Alan's requests were not exactly doable in the format provided.
>
>-Aaron
>----- Original Message -----
>From: "Andrew Culver" <aculver@uwo.ca>
>To: spf-help@v2.listbox.com
>Sent: Monday, April 5, 2010 12:09:36 PM GMT -06:00 US/Canada Central
>Subject: Re: [spf-help] SPF, SID and LONG records
>
>Aaron,
>Here's what I see:
>
>aculver@aculver:~$ host -t txt _spf1.gvomail.com
>;; Truncated, retrying in TCP mode.
>_spf1.gvomail.com descriptive text "v=spf1 ip4:12.132.193.34/31
>ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
>ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
>ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>_spf1.gvomail.com descriptive text "ip4:12.132.193.240/29
>ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191
>ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28
>ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>It seems your records are still too long for UDP. This may be why port25
>isn't including _spf1.gvomail.com in its list of DNS records.
>
>Maybe try moving them to multiple names, as opposed to multiple records
>under the same name.
>
>gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
>include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all"
>
>_spf1.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.34/31
>ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
>ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all"
>
>_spf2.gvomail.com. 300 IN TXT "v=spf1 ip4:12.68.140.12/30
>ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
>ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all"
>
>_spf3.gvomail.com. 300 IN TXT "v=spf1 ip4:12.132.193.192/30
>ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
>ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>
>(I think I copied/pasted correctly, but double check for yourself. Do
>the same for your Sender-ID records.)
>
>Andrew
>
>
>
>Aaron Moon wrote:
>> I have them up now and this is what I get when i use the check tool at port25
>>
>> The Port25 Solutions, Inc. team
>>
>> ==========================================================
>> Summary of Results
>> ==========================================================
>> SPF check: fail
>> DomainKeys check: pass
>> DKIM check: pass
>> Sender-ID check: neutral
>> SpamAssassin check: ham
>>
>> ==========================================================
>> Details:
>> ==========================================================
>>
>> HELO hostname: g47.gvomail.com
>> Source IP: 12.97.188.212
>> mail-from: aaron.m@gvomail.com
>>
>> ----------------------------------------------------------
>> SPF check details:
>> ----------------------------------------------------------
>> Result: fail (not permitted)
>> ID(s) verified: smtp.mail=aaron.m@gvomail.com
>> DNS record(s):
>> gvomail.com. 300 IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>> gvomail.com. 300 IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>> gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>> _sidm1.gvomail.com. 300 IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>> _sidm1.gvomail.com. 300 IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>
>>
>>
>>
>> from my understanding of BIND doesn't having multiple gvomail.com. 300 IN TXT mean that every 300 seconds it will rotate through one? because the check results seem to change every 300 seconds
>> ----- Original Message -----
>> From: "alan" <spfdiscuss@alandoherty.net>
>> To: spf-help@v2.listbox.com
>> Sent: Monday, April 5, 2010 5:10:53 AM GMT -06:00 US/Canada Central
>> Subject: Re: [spf-help] SPF, SID and LONG records
>>
>> At 08:40 05/04/2010 Monday, Aaron Moon wrote:
>>> I am entering this into a BIND dns server so when you use
>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>> what is the include:_spf1.%{d2} mean? or should i be doing this
>>
>> it is entered just as typed
>> %{d2} means the first and second parts of the domain ie gvomail.com but takes less characters thus is more efficient
>> it is only interpereted by the spf client when reading the record so to bind its just palain text
>>
>>
>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.gvomail.com include:_spf2.gvomail.com -all"
>>
>> this is also doable but increases the number of characters used unneccisarilly
>>
>>
>>
>>> also where you have
>>>
>>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>
>>> I assume the blank for the second txt record is supposed to be
>>>
>>> _spf2.gvomail.com. jus want to be sure before I commit these records on a live system.
>>
>> no on bind the name is entered once all following entries are added to that name till a new name is entered
>> heres a tiny excerpt from my own dns server to illustrate
>>
>> $TTL 86400 ; 1 day
>> @ IN SOA ns1.ssol.ie. hostmaster.alandoherty.net. (
>> 2009122000 ; serial
>> 43200 ; refresh (12 hours)
>> 7200 ; retry (2 hours)
>> 2419200 ; expire (4 weeks)
>> 86400 ; minimum (1 day)
>> )
>> NS puck.nether.net.
>> NS ns1.ssol.ie.
>> NS ns1.alandoherty.net.
>> NS ns1.twisted4life.com.
>> NS ns2.ssol.ie.
>> NS ns2.alandoherty.net.
>> NS ns3.alandoherty.net.
>> A 195.2.202.63
>> MX 5 mx0.alandoherty.net.
>> MX 10 mx10.alandoherty.net.
>> MX 20 mx20.alandoherty.net.
>> MX 30 mx30.alandoherty.net.
>> TXT "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
>> ; SPF "v=spf1 redirect=%{l}._spf1.%{d2}._mail.%{d2}"
>> TXT "spf2.0/mfrom redirect=%{l}._sid-mfrom.%{d2}._mail.%{d2}"
>> TXT "spf2.0/pra redirect=%{l}._sid-pra.%{d2}._mail.%{d2}"
>> RP . alan.gothic.ie.
>> RP . _contact.alandoherty.net.
>> $ORIGIN alandoherty.net.
>> c-esmtpsa 3600 A 195.2.202.63
>>
>> MX 0 .
>> TXT "v=spf1 -all"
>> RP . _contact
>> camera A 193.120.128.254
>> MX 0 .
>> TXT "v=spf1 -all"
>> RP . alan.gothic.ie.
>> flatsvr 3600 A 193.120.238.109
>> MX 10 mx20
>> MX 20 mx10
>> MX 30 mx30
>> TXT "v=spf1 redirect=%{l}._helo-spf1.%{d2}"
>> TXT "spf2.0/mfrom redirect=%{l}._helo-sid-mfrom.%{d2}"
>> TXT "spf2.0/pra redirect=%{l}._helo-sid-pra.%{d2}"
>> RP . alan.gothic.ie.
>> RP . _contact
>>
>>
>>
>>> -Aaron
>>>
>>> ----- Original Message -----
>>> From: "alan" <spfdiscuss@alandoherty.net>
>>> To: spf-help@v2.listbox.com
>>> Sent: Wednesday, March 31, 2010 11:00:50 PM GMT -06:00 US/Canada Central
>>> Subject: Re: [spf-help] SPF, SID and LONG records
>>>
>>> executive summary for the non-readers
>>>
>>> btw mail me when they are available online and I'll query them direct to look for typos, before you try an automated tester and assume their is an error below and possibly revert
>>>
>>>> so now the final zone file is 450 - namelength - number of strings is what total must be less than for success
>>>>
>>>> gvomail.com. IN TXT "v=spf1 ip4:12.97.188.59 ip4:12.204.164.254 include:_spf1.%{d2} -all"
>>>> gvomail.com. IN TXT "spf2.0/mfrom ip4:12.97.188.59 ip4:12.204.164.254 ip4:12.132.193.34/31 include:_sidm1.%{d2} -all"
>>>> gvomail.com. IN TXT "spf2.0/pra ip4:12.97.188.59 ip4:12.204.164.254 include:_sidp1.%{d2} ?all"
>>>>
>>>> 235 grand! <450-12-3=435
>>>>
>>>> _spf1.gvomail.com. IN TXT "v=spf1 ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>>
>>>> 411 grand! <450-18-2=430
>>>>
>>>> _sidm1.gvomail.com. IN TXT "spf2.0/mfrom ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29 "
>>>> IN TXT "ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all"
>>>>
>>>> 401 grand! <450-19-2=429
>>>>
>>>> _sidp1.gvomail.com. IN TXT "spf2.0/pra ip4:12.132.193.34/31 ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31 ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18 "
>>>> IN TXT "ip4:12.132.193.240/29 ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28 ip4:12.97.188.240/30 ip4:12.97.188.244/31 ?all"
>>>>
>>>> 420 grand! <450-19-2=429
>>>>
>>>>
>>>> you will note as i saw we had wiggle room i ditched the short dns names
>>>> so now for spf v1 clients 2 lookups, for sender-id checkers at rcpt-time 2 lookups, and pra checks at data time 2 lookups
>>>> fairly compact IMHO
>>>>
>>>> also NB in text records ensure the first has the trailing space or when they are concatenated {joined} by the receiver they will become messed-up due to lack of necessary space seperator
>>>
>>>
>>> -------------------------------------------
>>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>> Archives: https://www.listbox.com/member/archive/1020/=now
>>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>> Powered by Listbox: http://www.listbox.com
>>>
>>>
>>> -------------------------------------------
>>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>> Archives: https://www.listbox.com/member/archive/1020/=now
>>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>> Powered by Listbox: http://www.listbox.com
>>
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF, SID and LONG records [ In reply to ]
the variance from 1 second to 300 second ttl is nothing to do with the spf records though i would suspect one record within gvomail.com
has has its ttl set to 1 instead of 300 in cpanel

the now shorted records sent will fix the issue

and we'll know that 450 isn't even a conservative enough estimate for maxlength

but going to 3 records would work but is unnecessary as we see that _sidm.gvomail.com works fine with one less ip4 entry and a much longer preamble
{and we intentionally left plenty of spare space in the primary records already for expansion}

if for some reason the updates as sent don't work then yes we easily go for 3 but atm receivers checking spf and senderid have 4 lookups
expanding all means 7 and if unnecessary, it would be wasteful and time-consuming



At 21:05 05/04/2010 Monday, Rob MacGregor wrote:
>On Mon, Apr 5, 2010 at 20:48, Aaron Moon <aaron.m@gogvo.com> wrote:
>> Here is an example of what I had feared would happen
>
>_spf1.gvomail.com is still too long for a single UDP record - indeed
>it appears to be broken across 2 entries:
>
>_spf1.gvomail.com IN TXT v=spf1 ip4:12.132.193.34/31
>ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
>ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11
>ip4:12.68.140.12/30 ip4:12.68.140.16/31 ip4:12.68.140.18
>_spf1.gvomail.com IN TXT ip4:12.132.193.240/29 ip4:12.132.193.248/30
>ip4:12.132.193.252 ip4:12.132.193.191 ip4:12.132.193.192/30
>ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
>ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all
>
>I'd go with the recommendation that others made about breaking that into 3:
>
>gvomail.com IN TXT v=spf1 ip4:12.97.188.59 ip4:12.204.164.254
>include:_spf1.%{d2} include:_spf2.%{d2} include:_spf3.%{d2} -all
>
>_spf1.gvomail.com IN TXT v=spf1 ip4:12.132.193.34/31
>ip4:12.132.193.36/31 ip4:12.132.193.46/31 ip4:12.132.193.48/31
>ip4:12.97.188.252 ip4:12.204.164.117 ip4:12.68.140.11 -all
>_spf2.govmail.com IN TXT v=spf1 ip4:12.68.140.12/30
>ip4:12.68.140.16/31 ip4:12.68.140.18 ip4:12.132.193.240/29
>ip4:12.132.193.248/30 ip4:12.132.193.252 ip4:12.132.193.191 -all
>_spf3.gvomail.com IN TXT v=spf1 ip4:12.132.193.192/30
>ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/28
>ip4:12.97.188.240/30 ip4:12.97.188.244/31 -all
>
>
>--
> Please keep list traffic on the list.
>
>Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com