Mailing List Archive

> We control our web hosting and we have ensured that when sending emails
> from
> our domain, the sender has to authenticate using our SMTP outgoing server,
> username and password. Does this therefore mean that even if you send
> emails
> via another ISP that only our domain is the permitted sender?

First - a little nitpick: your terminology is a little confused, and that
makes answering your question accurately rather difficult.

I think you are using the word "domain" when you mean "server" - if I'm
wrong about that, then the rest of my post will be meaningless :-)

The ISP of the person sending an email is of no consequence whatsoever;
all that matters is which machine(s) will deliver email to a recipient's
mailserver.

So if all email from your domain is passing through your server (and the
route to get there is irrelevant), setting up SPF for your domain is dead
easy.

If, on the other hand, users can *either* send email via that route *or*
can send via any other mailsevrer they like, then it's going to be
remarkably difficult to use SPF for your domain.

> So for example can we set up the SPF record as follows?
>
> ourdomain.com. TXT "v=spf1 mx -all"

As a rule, it is counterproductive to obscure your domain name on this
list. DNS information is public anyway, so you're not protecting anything
private, but without your real domain name, none of us can look at your
problem. That means we can only answer in very general terms, and you have
to do all the hard work...

But if you had a record similar to the above for your domain, then any IP
addresses listed as MX for that domain would be permitted also to send
email on behalf of that domain. Anything else will be rejected by SPF
filters.

> I believe it means that all MX records from ourdomain.com are the
> permitted to send emails from ourdomain.com.

But it also means that *no other* IP address is permitted. You should
check to make sure this is the behaviour you want.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 07:21 21/06/2010 Monday, Surfocracy support wrote:
>Hello,
>
> We control our web hosting and we have ensured that when sending emails from
>our domain, the sender has to authenticate using our SMTP outgoing server,
>username and password. Does this therefore mean that even if you send emails
>via another ISP that only our domain is the permitted sender?
>
>So for example can we set up the SPF record as follows?
>
>ourdomain.com. TXT "v=spf1 mx -all"
>
>I believe it means that all MX records from ourdomain.com are the permitted
>to send emails from ourdomain.com.

yes and no
yes it will work if the ip your outgoing mailserver uses also happens to be the ip used in your MX records
{and no because MX should be avoided in spf as it makes is the highest cost resolving/verifing your spf lots slower for recievers}

since you likely already know the ip address's of your own servers better to save yourself and everyone else time

ourdomain.com. IN TXT "v=spf1 ip4:ip-of-your-server1 ip4:ip-of-your-server2 etc. -all"
{cost to receivers 1 dns lookup}
or if your server(s) change ip regularly
ourdomain.com. IN TXT "v=spf1 a:name-of-server1 a:name-of-server2 -all"
{cost to receivers 1+ 1 dns lookup per server}

as opposed to current spf
ourdomain.com. IN TXT "v=spf1 mx -all"
{cost to receivers 2+ 1 dns lookup per server in mx's}

also tying spf to mx's means your inbound and outbound are tied to the same machines which if you become bigger and wish to scale to having separate machines for each separate job will become impossible

or if you add a 3rd party upstream mailfiltering service it will inadvertently allow them/their users to forge your domain {best practice is to never use mx in spf}


>
>
>Thanks
>
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On 21/Jun/10 08:21, Surfocracy support wrote:
> We control our web hosting and we have ensured that when sending emails from
> our domain, the sender has to authenticate using our SMTP outgoing server,
> username and password. Does this therefore mean that even if you send emails
> via another ISP that only our domain is the permitted sender?

Not quite. SMTP-AUTH imposes a constraint on /your/ server. If I use
a different server, I can do as its policy allows. If my ISP allows
me to send mail with your domain in any sender's address (envelope
and/or header), then I can do so.

> So for example can we set up the SPF record as follows?
>
> ourdomain.com. TXT "v=spf1 mx -all"
>
> I believe it means that all MX records from ourdomain.com are the permitted
> to send emails from ourdomain.com.

It means that /all/ and /only/ those hosts are permitted.

Keep in mind that "from ourdomain.com" means having that domain
address in the envelope sender. The header's From is irrelevant for SPF.

Also keep in mind that not all receiving servers will honor your SPF
settings.

In practice, in case I use my ISP as described above, such SPF record
will cause intermittent malfunctions. It can be used as a means to
force your users to stop sending mail through their ISPs and use your
outgoing mail server instead. If that's your purpose, make sure your
users make a TLS connection to port 587 of your MSA, in order to rule
out any SMTP proxy that ISPs may filter port 25 with.

HTH


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com