Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
Confusion Implementing SPF
wtand at bellsouth
Jun 23, 2004, 7:01 AM
Post #1 of 4 (2437 views)
Permalink
Hello,

Our first attempt to implement SPF failed with the ISP that maintains the
authoratative nameserver for one domain, Interland, refusing to add PTR.
Since then, last Wednesday, I've been looking into setting up a common DNS
for all our customers, many of whom use Mdaemon for email. Mdaemon currently
supports SPF.

Reading everything I could find on Pobox.com about setting up SPF has left
me confused. It appears that SPF is sort of Reverse-ARP. If that be true
most IP databases are maintained by the ISP that was originally allocated
the IP block from Arin. Example: mail.biltmorefarms.com has MX record in
authoratative nameserver pointing to A:208.62.177.194. However, if you go to
Arin www.arin.net and use their Whois lookup for this IP you get 'Bell
South'. Bell South is the ISP that provides the T1 for the customer assigned
a block of IP's including 208.62.177.194. Unless the customer, specifically
informs Bell South that mail.biltmorefarms.com is at 208.62.177.194 and they
add it to their hosts table, you can't do a reverse lookup.

Running the SPF wizard produced a suggested TXT entry to be added to DNS. It
doesn't state WHICH DNS. Is this the authoratative nameserver for the domain
OR the authoratative nameserver for the IP? BIG DIFFERENCE!

Also, I understand the difference between the information contained in the
PTR and the MX record. However, in most cases I deal with the receiver of
email, MX, is also the sender for the domain. SO WHY can't SPF just use the
MX record to verify that the IP address within the email header matches the
MX record for the domain supposedly sending the email; and if a PTR exists,
use it to enable the designation of a different sender and/or multiple
senders.

Sorry this is so long, just trying to give enough information. Remember I'm
new to this, but have customers that are really upset with SPAM and
particularly address spoofing.

W. Tom Anderson

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Confusion Implementing SPF [ In reply to ]
spf at kitterman
Jun 23, 2004, 7:33 AM
Post #2 of 4 (2384 views)
Permalink
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of W. Tom Anderson
> Sent: Wednesday, June 23, 2004 10:01 AM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Confusion Implementing SPF
snip
> Example: mail.biltmorefarms.com has MX record in
> authoratative nameserver pointing to A:208.62.177.194. However,
> if you go to
> Arin www.arin.net and use their Whois lookup for this IP you get 'Bell
> South'. Bell South is the ISP that provides the T1 for the
> customer assigned
> a block of IP's including 208.62.177.194. Unless the customer,
> specifically
> informs Bell South that mail.biltmorefarms.com is at
> 208.62.177.194 and they
> add it to their hosts table, you can't do a reverse lookup.

I don't believe that you need to be able to do reverse lookup this way. I
have the same situation with the host of our domains.

>
> Running the SPF wizard produced a suggested TXT entry to be added
> to DNS. It
> doesn't state WHICH DNS. Is this the authoratative nameserver for
> the domain
> OR the authoratative nameserver for the IP? BIG DIFFERENCE!
>
For the domain. The SPF record is the domain's definition of the permitted
senders for the domain. This can be either via host names or IP addresses.

> Also, I understand the difference between the information contained in the
> PTR and the MX record. However, in most cases I deal with the receiver of
> email, MX, is also the sender for the domain. SO WHY can't SPF
> just use the
> MX record to verify that the IP address within the email header
> matches the
> MX record for the domain supposedly sending the email; and if a
> PTR exists,
> use it to enable the designation of a different sender and/or multiple
> senders.

It can. If the domain, for example, sends e-mail from the mx and ONLY from
the mx, then the SPF record may well be "v=spf1 mx -all". If you are just
starting, you will almost certainly want to use ?all or ~all (for neutral or
softfail) to end your SPF records until you are certain that the record is
working correctly and that you have accounted for all permitted senders for
a domain.

>
> Sorry this is so long, just trying to give enough information.
> Remember I'm
> new to this, but have customers that are really upset with SPAM and
> particularly address spoofing.
>
> W. Tom Anderson
>
That's why we're all here. Just to be clear, SPF isn't directly going to
help stop SPAM. It's intended to stop spoofing. Once they can't lie, it's
going to be easier to find them, but that's another problem.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Confusion Implementing SPF [ In reply to ]
wtand at bellsouth
Jun 23, 2004, 8:04 AM
Post #3 of 4 (2349 views)
Permalink
Thanks for your input. If the domain host refuses to enter the PTR, where do
you register "v=spf1 mx -all"?



-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com]On Behalf Of spf@kitterman.com
Sent: Wednesday, June 23, 2004 10:33 AM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Confusion Implementing SPF


> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of W. Tom Anderson
> Sent: Wednesday, June 23, 2004 10:01 AM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Confusion Implementing SPF
snip
> Example: mail.biltmorefarms.com has MX record in
> authoratative nameserver pointing to A:208.62.177.194. However,
> if you go to
> Arin www.arin.net and use their Whois lookup for this IP you get 'Bell
> South'. Bell South is the ISP that provides the T1 for the
> customer assigned
> a block of IP's including 208.62.177.194. Unless the customer,
> specifically
> informs Bell South that mail.biltmorefarms.com is at
> 208.62.177.194 and they
> add it to their hosts table, you can't do a reverse lookup.

I don't believe that you need to be able to do reverse lookup this way. I
have the same situation with the host of our domains.

>
> Running the SPF wizard produced a suggested TXT entry to be added
> to DNS. It
> doesn't state WHICH DNS. Is this the authoratative nameserver for
> the domain
> OR the authoratative nameserver for the IP? BIG DIFFERENCE!
>
For the domain. The SPF record is the domain's definition of the permitted
senders for the domain. This can be either via host names or IP addresses.

> Also, I understand the difference between the information contained in the
> PTR and the MX record. However, in most cases I deal with the receiver of
> email, MX, is also the sender for the domain. SO WHY can't SPF
> just use the
> MX record to verify that the IP address within the email header
> matches the
> MX record for the domain supposedly sending the email; and if a
> PTR exists,
> use it to enable the designation of a different sender and/or multiple
> senders.

It can. If the domain, for example, sends e-mail from the mx and ONLY from
the mx, then the SPF record may well be "v=spf1 mx -all". If you are just
starting, you will almost certainly want to use ?all or ~all (for neutral or
softfail) to end your SPF records until you are certain that the record is
working correctly and that you have accounted for all permitted senders for
a domain.

>
> Sorry this is so long, just trying to give enough information.
> Remember I'm
> new to this, but have customers that are really upset with SPAM and
> particularly address spoofing.
>
> W. Tom Anderson
>
That's why we're all here. Just to be clear, SPF isn't directly going to
help stop SPAM. It's intended to stop spoofing. Once they can't lie, it's
going to be easier to find them, but that's another problem.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Confusion Implementing SPF [ In reply to ]
spf at kitterman
Jun 23, 2004, 8:16 AM
Post #4 of 4 (2406 views)
Permalink
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of W. Tom Anderson
> Sent: Wednesday, June 23, 2004 11:04 AM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] Confusion Implementing SPF
>
>
> Thanks for your input. If the domain host refuses to enter the
> PTR, where do
> you register "v=spf1 mx -all"?
>
> snip

The record needs to be published in a DNS TXT record for the domain. If you
don't control the DNS for the domains in question, you are going to have to
ask the DNS admin to put them in. My DNS provider, PairNIC, lets me put TXT
records via a web control panel. Some providers do this, others will put it
in if you ask, others refuse.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal