Mailing List Archive

Hi,

SPF records may prevent others from using your domain in the MAIL FROM.
Thus, it makes sense to set SPF records for _all_ your domains, even
ones that aren't used for email. With an spf record, you can protect the
domain in question from being used by spammers/virusses for mail-from
forgeries, since spf-aware receving MTA's will check the client's ip
against the MAIL FROM domain's spf record.

In short: set SPF records on every domain you don't want to be used by
spammers/virusses.

Koen

On Thu, Jul 01, 2004 at 08:35:42AM -0400, Scott Stewart wrote:
> Hi All,
>
> We're a broadcast email provider with several outgoing mail servers and one
> return path as follows
>
> mail.magnetmail.com => outgoing
> mail1.magnetmail.com => outgoing
>
> and the return path is mmreturn@magnetdev.com
>
> Our internal debate is which DNS records need SPF records. The way I
> understand it is that the best practice is to provide SPF records for all
> servers, the other side of the debate says that only the return path needs
> the SPF record.
>
> so, who's right?
>
> Scott Stewart
> Developer & Spam Desk
>
> RealMagnet
> 5039 Connecticut Avenue, NW
> Suite 6B
> Washington, DC 20008
>
> Phone: 202-244-7845
> Fax: 202-244-7926
> Email: scott@realmagnet.com
>
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

"Scott Stewart" <scott@realmagnet.com>wrote:

> Our internal debate is which DNS records need SPF records.
> The way I understand it is that the best practice is to provide SPF
> records for all servers, the other side of the debate says that
> only the return path needs the SPF record.

I am also a newbie, but as I understand it, the *sending* servers need to
be listed in SPF text records.

The primary purpose of SPF is to validate the envelope sender ("MAIL
FROM") in all your outgoing mails.

Adding your inbound server(s) will do no harm, but is superfluous as they
are already listed in MX records,

--
Mike


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

mike.keighley@adarelexicon.com wrote:

> Adding your inbound server(s) will do no harm, but is
> superfluous as they are already listed in MX records,

It could be relevant for the HELO in bounces (empty MAIL FROM),

Your idea that any MX is automatically okay makes sense, but I
don't find it in the SPF draft. Or do I miss something ? Bye.


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I wrote:

>> Adding your inbound server(s) will do no harm, but is
>> superfluous as they are already listed in MX records,

Frank Ellermann <nobody@xyzzy.claranet.de> wrote:

> It could be relevant for the HELO in bounces (empty MAIL FROM),

You may be right. I confess I haven't entirely grasped the issue with
bounces. The wizard hinted at "degraded mode by using the HELO domain
name", but did not explain what is "degraded" about that, nor why adding
"a" records for my inbound servers (which is what it suggested) addresses
this issue. Of course, the inbound servers are the ones which generate
the bounces, so I suppose it is relevant, but Doh!

> Your idea that any MX is automatically okay makes sense, but I
> don't find it in the SPF draft. Or do I miss something ? Bye.

I didn't mean anything so subtle. I just meant that there is already an
adequate mechanism for identifying inbound servers (MX records, of
course).

--
Mike

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

mike.keighley@adarelexicon.com wrote:

> You may be right. I confess I haven't entirely grasped the
> issue with bounces.

Same here, I've forwarded the question to spf.discuss , maybe
we miss something. Or it's a minor bug in the SPF draft, and
then it should be fixed.

See the thread "match_subdomains Inconsistency in Draft RFC?":
<http://article.gmane.org/gmane.mail.spam.spf.discuss:6905>

Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com