Mailing List Archive

Help with subdomain SPF config
I administer DNS for Bard College and do not chose to implement SPF in
its zone files.

However, we have a request from one of our subsidiary program-campuses,
a High School - Early College program, which currently gets currently
gets its mail through the address like hsec.bard.edu. This is not
really a subdomain, rather just the mail host; there is no
www.hsec.bard.edu, etc.

The HSEC administration likes having an edu and bard.edu address but
wants to go to GMail. The lovely folks at Google say that the MX record
for GMail should have an associated SPF record.

The Question: can I do an SPF record *just* for that mail service record?

Would the hsec.bard.edu stanza look something like this?

hsec.bard.edu IN A <some address>
MX 1 ASPMX.L.GOOGLE.COM
MX 5 ALT1.ASPMX.L.GOOGLE.COM
MX 5 ALT2.ASPMX.L.GOOGLE.COM
hsec.bard.edu. TXT "v=spf1 *include:_spf.google.com ~all*"

The SPF record is cribbed from this Google GMail URL:
http://www.google.com/support/a/bin/answer.py?answer=178723
--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax:
845-758-7035



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Help with subdomain SPF config [ In reply to ]
Hi Stewart,

Stewart Dean wrote:
> I administer DNS for Bard College and do not chose to implement SPF in
> its zone files.
>
> However, we have a request from one of our subsidiary program-campuses,
> a High School - Early College program, which currently gets currently
> gets its mail through the address like hsec.bard.edu. This is not
> really a subdomain, rather just the mail host; there is no
> www.hsec.bard.edu, etc.

They're all domains. SPF doesn't "cascade down" to sub-domains or
"inherent" from parent domains. An SPF record on bard.edu will only
affect mail using an SMTP MAIL FROM address (or HELO) of user@bard.edu.
An SPF record on hsec.bard.edu will only affect mail using an SMTP MAIL
FROM address of user@hsec.bard.edu. So what you're trying to do will
work just fine.

> The HSEC administration likes having an edu and bard.edu address but
> wants to go to GMail. The lovely folks at Google say that the MX record
> for GMail should have an associated SPF record.

Replace "MX record for GMail" with "hsec.bard.edu domain" in the above
statement to make it more accurate. ;)

> The Question: can I do an SPF record *just* for that mail service record?
>
> Would the hsec.bard.edu stanza look something like this?
>
> hsec.bard.edu IN A <some address>
> MX 1 ASPMX.L.GOOGLE.COM
> MX 5 ALT1.ASPMX.L.GOOGLE.COM
> MX 5 ALT2.ASPMX.L.GOOGLE.COM
> hsec.bard.edu. TXT "v=spf1 *include:_spf.google.com ~all*"

Yes, without the asterisks. If there are any other hosts that also send
mail as user@hsec.bard.edu they should be included in this record.

You should change the ~all to -all to make the record more effective
once you're satisfied with it.

>
> The SPF record is cribbed from this Google GMail URL:
> http://www.google.com/support/a/bin/answer.py?answer=178723

Andrew


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Help with subdomain SPF config [ In reply to ]
Thanks Andrew!

1) the asterisks were a side-effect of my cut and paste into the GUI
mail client of the original bolded text from the Google HTML webpage.
Like cutting a string with (required) tabs in Unix, and ending up with a
paste with (invalid) spaces!

2) In that Google URL they say:
"Publishing an SPF record that uses *-all *instead of *~all *may result
in delivery problems. See Google IP address ranges
<http://www.google.com/support/a/bin/answer.py?answer=60764> for details
about the addresses for the Google Apps mail servers." Any comments on
that?

Andrew Culver wrote:
> Hi Stewart,
>
> Stewart Dean wrote:
>
>> I administer DNS for Bard College and do not chose to implement SPF in
>> its zone files.
>>
>> However, we have a request from one of our subsidiary program-campuses,
>> a High School - Early College program, which currently gets currently
>> gets its mail through the address like hsec.bard.edu. This is not
>> really a subdomain, rather just the mail host; there is no
>> www.hsec.bard.edu, etc.
>>
>
> They're all domains. SPF doesn't "cascade down" to sub-domains or
> "inherent" from parent domains. An SPF record on bard.edu will only
> affect mail using an SMTP MAIL FROM address (or HELO) of user@bard.edu.
> An SPF record on hsec.bard.edu will only affect mail using an SMTP MAIL
> FROM address of user@hsec.bard.edu. So what you're trying to do will
> work just fine.
>
>
>> The HSEC administration likes having an edu and bard.edu address but
>> wants to go to GMail. The lovely folks at Google say that the MX record
>> for GMail should have an associated SPF record.
>>
>
> Replace "MX record for GMail" with "hsec.bard.edu domain" in the above
> statement to make it more accurate. ;)
>
>
>> The Question: can I do an SPF record *just* for that mail service record?
>>
>> Would the hsec.bard.edu stanza look something like this?
>>
>> hsec.bard.edu IN A <some address>
>> MX 1 ASPMX.L.GOOGLE.COM
>> MX 5 ALT1.ASPMX.L.GOOGLE.COM
>> MX 5 ALT2.ASPMX.L.GOOGLE.COM
>> hsec.bard.edu. TXT "v=spf1 *include:_spf.google.com ~all*"
>>
>
> Yes, without the asterisks. If there are any other hosts that also send
> mail as user@hsec.bard.edu they should be included in this record.
>
> You should change the ~all to -all to make the record more effective
> once you're satisfied with it.
>
>
>> The SPF record is cribbed from this Google GMail URL:
>> http://www.google.com/support/a/bin/answer.py?answer=178723
>>
>
> Andrew
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax:
845-758-7035


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Help with subdomain SPF config [ In reply to ]
Stewart Dean wrote:
> Thanks Andrew!
>
> 1) the asterisks were a side-effect of my cut and paste into the GUI
> mail client of the original bolded text from the Google HTML webpage.
> Like cutting a string with (required) tabs in Unix, and ending up with a
> paste with (invalid) spaces!

I figured as much.. just making sure.

>
> 2) In that Google URL they say:
> "Publishing an SPF record that uses *-all *instead of *~all *may result
> in delivery problems. See Google IP address ranges
> <http://www.google.com/support/a/bin/answer.py?answer=60764> for details
> about the addresses for the Google Apps mail servers." Any comments on
> that?

The ~all and -all declares what should happen to hosts that aren't in
your SPF record. As long as your record is accurate, you WANT such hosts
to have delivery problems, because they're probably trying to forge mail
from your domain.

Hosts listed in your record will "pass," so -all won't cause delivery
problems for them. Hosts not in your record will either "fail" (-all) or
"softfail" (~all). The use of ~all is intended for use while you're
transitioning to SPF. Once you're satisfied that your record is
accurate, you should change to -all to make your record more effective
and make it harder for hosts NOT listed in your record to forge your
domain's address.

See http://www.openspf.org/SPF_Record_Syntax for a more detailed
explanation of Fail/SoftFail.

Andrew

>
> Andrew Culver wrote:
>> Hi Stewart,
>>
>> Stewart Dean wrote:
>>
>>> I administer DNS for Bard College and do not chose to implement SPF in
>>> its zone files.
>>>
>>> However, we have a request from one of our subsidiary program-campuses,
>>> a High School - Early College program, which currently gets currently
>>> gets its mail through the address like hsec.bard.edu. This is not
>>> really a subdomain, rather just the mail host; there is no
>>> www.hsec.bard.edu, etc.
>>>
>>
>> They're all domains. SPF doesn't "cascade down" to sub-domains or
>> "inherent" from parent domains. An SPF record on bard.edu will only
>> affect mail using an SMTP MAIL FROM address (or HELO) of user@bard.edu.
>> An SPF record on hsec.bard.edu will only affect mail using an SMTP MAIL
>> FROM address of user@hsec.bard.edu. So what you're trying to do will
>> work just fine.
>>
>>
>>> The HSEC administration likes having an edu and bard.edu address but
>>> wants to go to GMail. The lovely folks at Google say that the MX record
>>> for GMail should have an associated SPF record.
>>>
>>
>> Replace "MX record for GMail" with "hsec.bard.edu domain" in the above
>> statement to make it more accurate. ;)
>>
>>
>>> The Question: can I do an SPF record *just* for that mail service
>>> record?
>>>
>>> Would the hsec.bard.edu stanza look something like this?
>>>
>>> hsec.bard.edu IN A <some address>
>>> MX 1 ASPMX.L.GOOGLE.COM
>>> MX 5 ALT1.ASPMX.L.GOOGLE.COM
>>> MX 5 ALT2.ASPMX.L.GOOGLE.COM
>>> hsec.bard.edu. TXT "v=spf1 *include:_spf.google.com ~all*"
>>>
>>
>> Yes, without the asterisks. If there are any other hosts that also send
>> mail as user@hsec.bard.edu they should be included in this record.
>>
>> You should change the ~all to -all to make the record more effective
>> once you're satisfied with it.
>>
>>
>>> The SPF record is cribbed from this Google GMail URL:
>>> http://www.google.com/support/a/bin/answer.py?answer=178723
>>>
>>
>> Andrew
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/
>> [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Help with subdomain SPF config [ In reply to ]
Again, much thanks and appreciation for Andrew quick and authoritative
response! I am now ready to go if or when hsec decides to make the move!

Andrew Culver wrote:
> Stewart Dean wrote:
>
>> Thanks Andrew!
>>
>> 1) the asterisks were a side-effect of my cut and paste into the GUI
>> mail client of the original bolded text from the Google HTML webpage.
>> Like cutting a string with (required) tabs in Unix, and ending up with a
>> paste with (invalid) spaces!
>>
>
> I figured as much.. just making sure.
>
>
>> 2) In that Google URL they say:
>> "Publishing an SPF record that uses *-all *instead of *~all *may result
>> in delivery problems. See Google IP address ranges
>> <http://www.google.com/support/a/bin/answer.py?answer=60764> for details
>> about the addresses for the Google Apps mail servers." Any comments on
>> that?
>>
>
> The ~all and -all declares what should happen to hosts that aren't in
> your SPF record. As long as your record is accurate, you WANT such hosts
> to have delivery problems, because they're probably trying to forge mail
> from your domain.
>
> Hosts listed in your record will "pass," so -all won't cause delivery
> problems for them. Hosts not in your record will either "fail" (-all) or
> "softfail" (~all). The use of ~all is intended for use while you're
> transitioning to SPF. Once you're satisfied that your record is
> accurate, you should change to -all to make your record more effective
> and make it harder for hosts NOT listed in your record to forge your
> domain's address.
>
> See http://www.openspf.org/SPF_Record_Syntax for a more detailed
> explanation of Fail/SoftFail.
>
> Andrew
>
>
>> Andrew Culver wrote:
>>
>>> Hi Stewart,
>>>
>>> Stewart Dean wrote:
>>>
>>>
>>>> I administer DNS for Bard College and do not chose to implement SPF in
>>>> its zone files.
>>>>
>>>> However, we have a request from one of our subsidiary program-campuses,
>>>> a High School - Early College program, which currently gets currently
>>>> gets its mail through the address like hsec.bard.edu. This is not
>>>> really a subdomain, rather just the mail host; there is no
>>>> www.hsec.bard.edu, etc.
>>>>
>>>>
>>> They're all domains. SPF doesn't "cascade down" to sub-domains or
>>> "inherent" from parent domains. An SPF record on bard.edu will only
>>> affect mail using an SMTP MAIL FROM address (or HELO) of user@bard.edu.
>>> An SPF record on hsec.bard.edu will only affect mail using an SMTP MAIL
>>> FROM address of user@hsec.bard.edu. So what you're trying to do will
>>> work just fine.
>>>
>>>
>>>
>>>> The HSEC administration likes having an edu and bard.edu address but
>>>> wants to go to GMail. The lovely folks at Google say that the MX record
>>>> for GMail should have an associated SPF record.
>>>>
>>>>
>>> Replace "MX record for GMail" with "hsec.bard.edu domain" in the above
>>> statement to make it more accurate. ;)
>>>
>>>
>>>
>>>> The Question: can I do an SPF record *just* for that mail service
>>>> record?
>>>>
>>>> Would the hsec.bard.edu stanza look something like this?
>>>>
>>>> hsec.bard.edu IN A <some address>
>>>> MX 1 ASPMX.L.GOOGLE.COM
>>>> MX 5 ALT1.ASPMX.L.GOOGLE.COM
>>>> MX 5 ALT2.ASPMX.L.GOOGLE.COM
>>>> hsec.bard.edu. TXT "v=spf1 *include:_spf.google.com ~all*"
>>>>
>>>>
>>> Yes, without the asterisks. If there are any other hosts that also send
>>> mail as user@hsec.bard.edu they should be included in this record.
>>>
>>> You should change the ~all to -all to make the record more effective
>>> once you're satisfied with it.
>>>
>>>
>>>
>>>> The SPF record is cribbed from this Google GMail URL:
>>>> http://www.google.com/support/a/bin/answer.py?answer=178723
>>>>
>>>>
>>> Andrew
>>>
>>>
>>> -------------------------------------------
>>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>> Modify Your Subscription: http://www.listbox.com/member/
>>> [http://www.listbox.com/member/]
>>>
>>> Archives: https://www.listbox.com/member/archive/1020/=now
>>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>> Powered by Listbox: http://www.listbox.com
>>>
>>>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax:
845-758-7035


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com