Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
Setting up the correct SPF with one SMTP for few domains
pmontelatici at gmail
Aug 1, 2010, 11:05 PM
Post #1 of 9 (6730 views)
Permalink
I'm new to SPF, read the faq and tried the wizard. I think to have got to the
right spf to add to my DNS but before doing it, I'd like to ask to some
experts here if it is correct.

My situation is:
I have a machine running a SMTP server and a web server. The IP of the machine
is 109.231.67.172. The hostname of the SMTP is postoffice.bryo.it (I should
have set up mx, ptr, reverse dns etc all correctly).
All web applications (using different domains) use postoffice.bryo.it as SMTP
address (it accepts email from localhost only). So, for example, I have
calcolatermini.info and casainpermuta.it that sends emails using
postoffice.bryo.it (as info@calcolatermini.info and/or
contact@casainpermuta.it).

As far as I have understand, I should create a TXT record for bryo.it like
this:
v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info ?all

Is that correct? Is that all? Or should I do anything on casainpermuta.it and
calcolatermini.info domains as well?

Thanks a lot!
Pietro



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
vesely at tana
Aug 2, 2010, 3:42 AM
Post #2 of 9 (6618 views)
Permalink
On 02/Aug/10 08:05, Pietro wrote:
> I'm new to SPF, read the faq and tried the wizard. I think to have got to the
> right spf to add to my DNS but before doing it, I'd like to ask to some
> experts here if it is correct.

You should read at least the first two sections of RFC 4408.

> My situation is:
> I have a machine running a SMTP server and a web server. The IP of the machine
> is 109.231.67.172. The hostname of the SMTP is postoffice.bryo.it (I should
> have set up mx, ptr, reverse dns etc all correctly).
> All web applications (using different domains) use postoffice.bryo.it as SMTP
> address (it accepts email from localhost only). So, for example, I have
> calcolatermini.info and casainpermuta.it that sends emails using
> postoffice.bryo.it (as info@calcolatermini.info and/or
> contact@casainpermuta.it).

Users? I've seen you wrote from a gmail address, rather than one of
your domains. If anyone, besides applications, actually /uses/ those
addresses, you need to take also their sending paths into account.

> As far as I have understand, I should create a TXT record for bryo.it like
> this:
> v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info ?all

All those "a" terms result in the same address 109.231.67.172, so they
are redundant. You must figure out what you want the receiving server
to do when it sees that record. It is currently equivalent to either

v=spf1 a ?all
or
v=spf1 ip4:109.231.67.172 ?all

The former seems shorter and easier to maintain, but its behavior may
vary, e.g. when it's included. The latter requires you to change the
actual address whenever you change network provider, but is pretty clear.

> Is that correct? Is that all? Or should I do anything on casainpermuta.it and
> calcolatermini.info domains as well?

You should also publish a record for the other domains, including
postoffice.bryo.it (which currently has an MX.) Actually, you should
publish an SPF/TXT for each A/AAAA, since the corresponding domain
name can be legally used as the domain part of an email address. For
names that must _never_ be used for mail, specify

v=spf1 -all

HTH


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
spf1 at beer
Aug 2, 2010, 3:57 AM
Post #3 of 9 (6622 views)
Permalink
> As far as I have understand, I should create a TXT record for bryo.it like
> this:
> v=spf1 a a:postoffice.bryo.it a:casainpermuta.it a:calcolatermini.info
> ?all
>
> Is that correct?

No.

You've got SPF round the wrong way. You need a record for each domain
saying which servers it uses to send mail, not a record for the server to
say which domains it services.

So what you needd is a record for *each* of your domains that contains
something like :-

v=spf1 ip4:109.231.67.172 ~all

This assumes a fixed IP address - you could use "a:postoffice.bryo.it" if
you expect it to change, and uses the "~all" mechanism so that your mail
doesn't get discarded if you make any errors. You especially need to make
sure that no other mail is sent from these domains except from that one IP
address - think about how many users may send from each domain.

> Is that all? Or should I do anything on casainpermuta.it and
> calcolatermini.info domains as well?

Each of those domains needs the same record as above.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
pmontelatici at gmail
Aug 2, 2010, 10:52 PM
Post #4 of 9 (6616 views)
Permalink
Vic <spf1 <at> beer.org.uk> writes:

> You've got SPF round the wrong way. You need a record for each domain
> saying which servers it uses to send mail, not a record for the server to
> say which domains it services.
Thanks! I knew I was missing an important piece, everything is much clearer now.

>
> So what you needd is a record for *each* of your domains that contains
> something like :-
>
> v=spf1 ip4:109.231.67.172 ~all
>
> This assumes a fixed IP address - you could use "a:postoffice.bryo.it" if
> you expect it to change, and uses the "~all" mechanism so that your mail
> doesn't get discarded if you make any errors. You especially need to make
> sure that no other mail is sent from these domains except from that one IP
> address - think about how many users may send from each domain.
Actually emails from those domains are sent by (1) the web apps (v=spf1
a:postoffice.bryo.it ~all) and (2) from real users through gmail. Should I use ?
all instead of ~all to include gmail as an authorized sender or there's a better
way?

Pietro




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
pmontelatici at gmail
Aug 2, 2010, 10:58 PM
Post #5 of 9 (6711 views)
Permalink
Alessandro Vesely <vesely <at> tana.it> writes:

> Users? I've seen you wrote from a gmail address, rather than one of
> your domains. If anyone, besides applications, actually /uses/ those
> addresses, you need to take also their sending paths into account.
You're right, users send emails from those domains using gmail (GoogleApps). As
far as I understand (http://www.google.com/support/a/bin/answer.py?answer=178723)
I should add "include:_spf.google.com", right?

Thanks,
Pietro



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
pmontelatici at gmail
Aug 2, 2010, 11:01 PM
Post #6 of 9 (6617 views)
Permalink
Pietro <pmontelatici <at> gmail.com> writes:

> Actually emails from those domains are sent by (1) the web apps (v=spf1
> a:postoffice.bryo.it ~all) and (2) from real users through gmail. Should
> I use ? all instead of ~all to include gmail as an authorized sender
> or there's a better way?
I think to have found the answer
(http://www.google.com/support/a/bin/answer.py?answer=178723).
So my complete spf to add to my domains should read:
v=spf1 a:postoffice.bryo.it include:_spf.google.com ~all

Thanks for your help!
P




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
spf1 at beer
Aug 3, 2010, 2:35 AM
Post #7 of 9 (6600 views)
Permalink
> So my complete spf to add to my domains should read:
> v=spf1 a:postoffice.bryo.it include:_spf.google.com ~all

I wouldn't do it quite like that - you are telling the world that any mail
coming from Google *is* authorised to send on your behalf. That could be a
lot of people...

I would use "v=spf1 a:postoffice.bryo.it ?include:_spf.google.com ~all" if
you want the A record lookup (use the ip4: mechanism if you can).

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
pmontelatici at gmail
Aug 3, 2010, 8:40 AM
Post #8 of 9 (6606 views)
Permalink
Vic <spf1 <at> beer.org.uk> writes:

> I would use "v=spf1 a:postoffice.bryo.it ?include:_spf.google.com ~all" if
> you want the A record lookup (use the ip4: mechanism if you can).
Vic, thanks for the ?include suggestion, I will.

Sorry why you suggest ip4 over A record?

Cheers,
Pietro




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Re: Setting up the correct SPF with one SMTP for few domains [ In reply to ]
spf1 at beer
Aug 3, 2010, 9:00 AM
Post #9 of 9 (6605 views)
Permalink
> Sorry why you suggest ip4 over A record?

It's one less DNS lookup.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal