Mailing List Archive

Jason 'XenoPhage' Frisvold said:
> Greetings all,
>
> I'm a little confused as to how to set up SPF for my domain. I've
> set it up my domain so I can receive mail at either mail.godshell.com or
> godshell.com. So do I need to set up an SPF record for both of those
> domains?
>
> There are 2 IP addresses on the machine that hosts my mailserver, .9 and
> .13 ... And each of those IP's resolves to something other than the
> mailserver name (this is a multifunction system)... So do both of those
> get added as well? Do I add every A, MX, and IP record that corresponds
> to my mailserver?
>

You set up spf records to define where you send mail from. Spf records
don't define where it is delivered. Something like "v=spf1 a ptr" will
probably work for you. Incidentally, you have no mx.

Use the wizard at http://spf.pobox.com/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of rgreene@xxxx
> Sent: Tuesday, July 27, 2004 3:15 AM
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] General SPF setup question
>
>
> Jason 'XenoPhage' Frisvold said:
> > Greetings all,
> >
> > I'm a little confused as to how to set up SPF for my domain. I've
> > set it up my domain so I can receive mail at either mail.godshell.com or
> > godshell.com. So do I need to set up an SPF record for both of those
> > domains?
> >
> > There are 2 IP addresses on the machine that hosts my mailserver, .9 and
> > .13 ... And each of those IP's resolves to something other than the
> > mailserver name (this is a multifunction system)... So do both of those
> > get added as well? Do I add every A, MX, and IP record that corresponds
> > to my mailserver?
> >
>
> You set up spf records to define where you send mail from. Spf records
> don't define where it is delivered. Something like "v=spf1 a ptr" will
> probably work for you. Incidentally, you have no mx.
>
> Use the wizard at http://spf.pobox.com/
>
One other consideration is that you need to include your mail receivers as
senders if they can be a legitimate source of failure/status messages.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

rgreene@tclme.org said:
> You set up spf records to define where you send mail from. Spf records
> don't define where it is delivered. Something like "v=spf1 a ptr" will
> probably work for you. Incidentally, you have no mx.

Where I send mail from ... So, if I use friz@godshell.com and friz@mail.godshell.com interchangeably, then I need to set up an SPF record for both godshell.com *AND* mail.godshell.com ... right? I ask because I administer a number of other domains with users that may use the straight domain name, or might use mail.domain name ...

As for the MX, yeah, I know.. I was goofing with DNS.. It's there now.. :)

> Use the wizard at http://spf.pobox.com/

I used that to get the SPF record I have for godshell.com. I'm guessing, however, that I need to set one up for mail.godshell.com ...

As far as the A, MX, IP4 portion of this.. Let me see if I can explain my confusion...

godshell.com's address is 206.228.94.9. This reverses to jake.emcyber.com. So, I tell SPF to use the A record. Does that mean I don't need to list 206.228.94.9 in the IP4 field? Or is it good practice to do this anyways? Same question regarding the MX records... Should I list jake.emcyber.com in the A records?

What I mean, basically, is how detailed should I get?

Thanks!

---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Wed, Jul 28, 2004 at 05:02:49PM -0400, Jason 'XenoPhage' Frisvold wrote:
> rgreene@tclme.org said:
> > You set up spf records to define where you send mail from. Spf records
> > don't define where it is delivered. Something like "v=spf1 a ptr" will
> > probably work for you. Incidentally, you have no mx.
>
> Where I send mail from ... So, if I use friz@godshell.com and friz@mail.godshell.com interchangeably, then I need to set up an SPF record for both godshell.com *AND* mail.godshell.com ... right? I ask because I administer a number of other domains with users that may use the straight domain name, or might use mail.domain name ...
>

That's correct indeed, and you need them for domains that you don't send
mail from too, eg if there also www.godshell.com and you never send mail
from *@www.godshell.com, you'd want "v=spf1 -all" there..


> > Use the wizard at http://spf.pobox.com/
>
> I used that to get the SPF record I have for godshell.com. I'm guessing, however, that I need to set one up for mail.godshell.com ...

And it should probably be the same..

> As far as the A, MX, IP4 portion of this.. Let me see if I can explain my confusion...
>
> godshell.com's address is 206.228.94.9. This reverses to jake.emcyber.com. So, I tell SPF to use the A record. Does that mean I don't need to list 206.228.94.9 in the IP4 field? Or is it good practice to do this anyways? Same question regarding the MX records... Should I list jake.emcyber.com in the A records?
>
> What I mean, basically, is how detailed should I get?

Well, if the server is allowed somehow, you're done.. You don't have to
include the ip4 if the a covers it all. So if bot godshell.com and
mail.godshell.com only use 206.228.94.9 as outgoing server and
206.228.94.9 is the A of both these domains (ie. bot domains resolve to
206.228.94.9), youre fine with "v=spf1 a -all"...


Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

>That's correct indeed, and you need them for domains that you don't send
>mail from too, eg if there also www.godshell.com and you never send mail
>from *@www.godshell.com, you'd want "v=spf1 -all" there..
>
>
That can add up to a LOT of records... For instance, if I have several
class C's worth of dialup IP's, all DNS'ed something like
d01.godshell.com, I would need to add an spf record for each of these?
That almost sounds like overkill, but I think I understand the idea...
Since SPF isn't 100% deployed, it's not wise, yet, to reject anything
without an SPF record... So, instead, we create explicit SPF records to
reject non-mailserver IP's... An admin's job is never done... :P

>And it should probably be the same..
>
>
Yup.. I'll be adding that one momentarily...

>Well, if the server is allowed somehow, you're done.. You don't have to
>include the ip4 if the a covers it all. So if both godshell.com and
>mail.godshell.com only use 206.228.94.9 as outgoing server and
>206.228.94.9 is the A of both these domains (ie. both domains resolve to
>206.228.94.9), youre fine with "v=spf1 a -all"...
>
>
So there's no advantage to explicitly adding IP's? I guess it's rather
hard to spoof IP's, so there's really no need, is there...

>Koen
>
Thanks for the info! I think I'm starting to understand this much
better.. :) It's rather simple once you understand how it works...

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Wed, Jul 28, 2004 at 11:16:02PM -0400, Jason 'XenoPhage' Frisvold wrote:
> Koen Martens wrote:
> >That's correct indeed, and you need them for domains that you don't send
> >mail from too, eg if there also www.godshell.com and you never send mail
> >from *@www.godshell.com, you'd want "v=spf1 -all" there..
> >
> That can add up to a LOT of records... For instance, if I have several
> class C's worth of dialup IP's, all DNS'ed something like
> d01.godshell.com, I would need to add an spf record for each of these?
> That almost sounds like overkill, but I think I understand the idea...
> Since SPF isn't 100% deployed, it's not wise, yet, to reject anything
> without an SPF record... So, instead, we create explicit SPF records to
> reject non-mailserver IP's... An admin's job is never done... :P

Yup, you can also create one explicit reject-all record, and use
redirect: for all these domains, which is what i'm doing.

> >include the ip4 if the a covers it all. So if both godshell.com and
> >mail.godshell.com only use 206.228.94.9 as outgoing server and
> >206.228.94.9 is the A of both these domains (ie. both domains resolve to
> >206.228.94.9), youre fine with "v=spf1 a -all"...
> >
> So there's no advantage to explicitly adding IP's? I guess it's rather
> hard to spoof IP's, so there's really no need, is there...

You can choose.. If you feel that spoofing your ip is more difficult as
is hacking your dns and changing a records, you could opt for the ip4:
mechanism.. Of course, this means that if your ip's change, you will
have to modify your dns's A records as well as the spf records.

Note also that to check the a mechanism, a receiving smtp has to do a
dns lookup. If you use ip4, this is not neccesary, but the spf record is
larger for ip4: ..

> >Koen
> >
> Thanks for the info! I think I'm starting to understand this much
> better.. :) It's rather simple once you understand how it works...


--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

>>That can add up to a LOT of records... For instance, if I have several
>>class C's worth of dialup IP's, all DNS'ed something like
>>d01.godshell.com, I would need to add an spf record for each of these?
>>That almost sounds like overkill, but I think I understand the idea...
>>Since SPF isn't 100% deployed, it's not wise, yet, to reject anything
>>without an SPF record... So, instead, we create explicit SPF records to
>>reject non-mailserver IP's... An admin's job is never done... :P
>>
>>
>
>Yup, you can also create one explicit reject-all record, and use
>redirect: for all these domains, which is what i'm doing.
>
>
How does one accomplish this?

>You can choose.. If you feel that spoofing your ip is more difficult as
>is hacking your dns and changing a records, you could opt for the ip4:
>mechanism.. Of course, this means that if your ip's change, you will
>have to modify your dns's A records as well as the spf records.
>
>Note also that to check the a mechanism, a receiving smtp has to do a
>dns lookup. If you use ip4, this is not neccesary, but the spf record is
>larger for ip4: ..
>
>
Right, I was under the impression that large DNS records (ala, your life
history in XML) was bad.. :) The smaller the better... I've updated
my records to use just the a portion....

Next on my list is to implement SPF in my mailserver :) I suppose I
need SRS as well if I plan on doing any forwarding....

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Wednesday 28 July 2004 22:11, Koen Martens wrote:
> That's correct indeed, and you need them for domains that you don't
> send mail from too, eg if there also www.godshell.com and you never
> send mail from *@www.godshell.com, you'd want "v=spf1 -all" there..

How can you achieve this for CNAME hosts? CNAME hosts are not permitted
to have other records associated with them so if www is a CNAME how can
you publish an SPF record to say that mail is never sent from *@www?

Thanks,
Paul.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
> >Yup, you can also create one explicit reject-all record, and use
> >redirect: for all these domains, which is what i'm doing.
> How does one accomplish this?

Simply create some subdomain like this:

nomail.sonologic.nl IN TXT "v=spf1 -all"

then on all domains from which you don't want any mail, do:

www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
*.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"

like that.. the wildcard catches only those domains for which no other
DNS record (A, CNAME, ...) exists, but that's how dns works.

> Next on my list is to implement SPF in my mailserver :) I suppose I
> need SRS as well if I plan on doing any forwarding....

Correct.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

>Simply create some subdomain like this:
>
>nomail.sonologic.nl IN TXT "v=spf1 -all"
>
>then on all domains from which you don't want any mail, do:
>
>www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
>*.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
>
>like that.. the wildcard catches only those domains for which no other
>DNS record (A, CNAME, ...) exists, but that's how dns works.
>
>
Ahh.. very similar to the concept of how the most specific route wins
in a router... Excellent, I'll take a look at this as it would make
life *MUCH* easier.. I take it this works with djbdns as well?

>>Next on my list is to implement SPF in my mailserver :) I suppose I
>>need SRS as well if I plan on doing any forwarding....
>>
>>
>
>Correct.
>
>
Cool.. I'm looking at something along the following lines for a full
solutions, any comments are welcome :

Mail arrives at port 25 of my mail server.
Check User first, if user is non-existant, error out.
Check SPF next.
If there is no SPF record, pass on to greylisting.
If greylisting passes (ie, the triplet is recognized) then pass on to
virus and spam filtering. If not, then block with an unavailable message.
If there is an SPF record, and it fails, error out.
If the SPF record passes, then pass it on to virus filtering. ...
Should spam filtering be skipped at this point?
And, finally, deliver the message to the correct mailbox.

>Koen
>
>
Thanks for all the info!

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

or just do *.sonologic.nl IN TXT "v=spf1 -all"
this then covers all them in one go


Koen Martens wrote:
> On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
>
>>>Yup, you can also create one explicit reject-all record, and use
>>>redirect: for all these domains, which is what i'm doing.
>>
>>How does one accomplish this?
>
>
> Simply create some subdomain like this:
>
> nomail.sonologic.nl IN TXT "v=spf1 -all"
>
> then on all domains from which you don't want any mail, do:
>
> www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> *.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
>
> like that.. the wildcard catches only those domains for which no other
> DNS record (A, CNAME, ...) exists, but that's how dns works.
>
>
>>Next on my list is to implement SPF in my mailserver :) I suppose I
>>need SRS as well if I plan on doing any forwarding....
>
>
> Correct.
>
> Koen
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Yeah, I don't understand the benefit to using the redirect. It's another step for client computers, another DNS lookup for you or your provider, and less human-readable....

Marc
>
> From: Damien Dye <damien@masterboss.demon.co.uk>
> Date: 2004/07/29 Thu PM 02:09:31 EDT
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] General SPF setup question
>
> or just do *.sonologic.nl IN TXT "v=spf1 -all"
> this then covers all them in one go
>
>
> Koen Martens wrote:
> > On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
> >
> >>>Yup, you can also create one explicit reject-all record, and use
> >>>redirect: for all these domains, which is what i'm doing.
> >>
> >>How does one accomplish this?
> >
> >
> > Simply create some subdomain like this:
> >
> > nomail.sonologic.nl IN TXT "v=spf1 -all"
> >
> > then on all domains from which you don't want any mail, do:
> >
> > www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> > *.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> >
> > like that.. the wildcard catches only those domains for which no other
> > DNS record (A, CNAME, ...) exists, but that's how dns works.
> >
> >
> >>Next on my list is to implement SPF in my mailserver :) I suppose I
> >>need SRS as well if I plan on doing any forwarding....
> >
> >
> > Correct.
> >
> > Koen
> >
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Well, not really.. If I have www.sonologic.nl A 1.2.3.4, *.sonologic.nl
TXT "something" will _not_ cover www.sonologic.nl...

On Thu, Jul 29, 2004 at 07:09:31PM +0100, Damien Dye wrote:
> or just do *.sonologic.nl IN TXT "v=spf1 -all"
> this then covers all them in one go
>
>
> Koen Martens wrote:
> >On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
> >
> >>>Yup, you can also create one explicit reject-all record, and use
> >>>redirect: for all these domains, which is what i'm doing.
> >>
> >>How does one accomplish this?
> >
> >
> >Simply create some subdomain like this:
> >
> >nomail.sonologic.nl IN TXT "v=spf1 -all"
> >
> >then on all domains from which you don't want any mail, do:
> >
> >www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> >*.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> >
> >like that.. the wildcard catches only those domains for which no other
> >DNS record (A, CNAME, ...) exists, but that's how dns works.
> >
> >
> >>Next on my list is to implement SPF in my mailserver :) I suppose I
> >>need SRS as well if I plan on doing any forwarding....
> >
> >
> >Correct.
> >
> >Koen
> >
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Thu, Jul 29, 2004 at 03:20:17PM +0100, Paul Isitt wrote:
> On Wednesday 28 July 2004 22:11, Koen Martens wrote:
> > That's correct indeed, and you need them for domains that you don't
> > send mail from too, eg if there also www.godshell.com and you never
> > send mail from *@www.godshell.com, you'd want "v=spf1 -all" there..
>
> How can you achieve this for CNAME hosts? CNAME hosts are not permitted
> to have other records associated with them so if www is a CNAME how can
> you publish an SPF record to say that mail is never sent from *@www?

You can't publish spf for cname's, but in that case the spf record of
the domain the cname points to is used.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Thu, Jul 29, 2004 at 01:51:24PM -0400, Jason 'XenoPhage' Frisvold wrote:
> Ahh.. very similar to the concept of how the most specific route wins
> in a router... Excellent, I'll take a look at this as it would make
> life *MUCH* easier.. I take it this works with djbdns as well?

Well actually, I think it is a RFC thingy, so it should be like that
with all nameserver software.

> Cool.. I'm looking at something along the following lines for a full
> solutions, any comments are welcome :
>
> Mail arrives at port 25 of my mail server.
> Check User first, if user is non-existant, error out.
> Check SPF next.
> If there is no SPF record, pass on to greylisting.
> If greylisting passes (ie, the triplet is recognized) then pass on to
> virus and spam filtering. If not, then block with an unavailable message.
> If there is an SPF record, and it fails, error out.
> If the SPF record passes, then pass it on to virus filtering. ...
> Should spam filtering be skipped at this point?
> And, finally, deliver the message to the correct mailbox.

You should probably still do spam filtering. An sfp PASS result does not
mean 'this is not spam', it only means 'this message was sent by a
server that is permitted to send this message with the MAIL FROM used'.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Again this doesn't cover the domains which have other records. If I have
www.sonologic.nl IN A 1.2.3.4, then *.sonologic.nl IN TXT "bla" will NOT
cover www.sonologic.nl.

On Thu, Jul 29, 2004 at 02:57:36PM -0400, marc@alaia.net wrote:
> Yeah, I don't understand the benefit to using the redirect. It's another step for client computers, another DNS lookup for you or your provider, and less human-readable....
>
> Marc
> >
> > From: Damien Dye <damien@masterboss.demon.co.uk>
> > Date: 2004/07/29 Thu PM 02:09:31 EDT
> > To: spf-help@v2.listbox.com
> > Subject: Re: [spf-help] General SPF setup question
> >
> > or just do *.sonologic.nl IN TXT "v=spf1 -all"
> > this then covers all them in one go
> >
> >
> > Koen Martens wrote:
> > > On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
> > >
> > >>>Yup, you can also create one explicit reject-all record, and use
> > >>>redirect: for all these domains, which is what i'm doing.
> > >>
> > >>How does one accomplish this?
> > >
> > >
> > > Simply create some subdomain like this:
> > >
> > > nomail.sonologic.nl IN TXT "v=spf1 -all"
> > >
> > > then on all domains from which you don't want any mail, do:
> > >
> > > www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> > > *.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> > >
> > > like that.. the wildcard catches only those domains for which no other
> > > DNS record (A, CNAME, ...) exists, but that's how dns works.
> > >
> > >
> > >>Next on my list is to implement SPF in my mailserver :) I suppose I
> > >>need SRS as well if I plan on doing any forwarding....
> > >
> > >
> > > Correct.
> > >
> > > Koen
> > >
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I know that and I was not questioning which records need to be in DNS. I was questioning why one would use a redirect when the shorter, simpler "v=spf1 -all" is much more efficient and readable and just as efffective in this situation.

Marc

>
> From: Koen Martens <spf@metro.cx>
> Date: 2004/07/29 Thu PM 04:02:43 EDT
> To: spf-help@v2.listbox.com
> Subject: Re: Re: [spf-help] General SPF setup question
>
> Again this doesn't cover the domains which have other records. If I have
> www.sonologic.nl IN A 1.2.3.4, then *.sonologic.nl IN TXT "bla" will NOT
> cover www.sonologic.nl.
>
> On Thu, Jul 29, 2004 at 02:57:36PM -0400, marc@alaia.net wrote:
> > Yeah, I don't understand the benefit to using the redirect. It's another step for client computers, another DNS lookup for you or your provider, and less human-readable....
> >
> > Marc
> > >
> > > From: Damien Dye <damien@masterboss.demon.co.uk>
> > > Date: 2004/07/29 Thu PM 02:09:31 EDT
> > > To: spf-help@v2.listbox.com
> > > Subject: Re: [spf-help] General SPF setup question
> > >
> > > or just do *.sonologic.nl IN TXT "v=spf1 -all"
> > > this then covers all them in one go
> > >
> > >
> > > Koen Martens wrote:
> > > > On Thu, Jul 29, 2004 at 08:06:34AM -0400, Jason 'XenoPhage' Frisvold wrote:
> > > >
> > > >>>Yup, you can also create one explicit reject-all record, and use
> > > >>>redirect: for all these domains, which is what i'm doing.
> > > >>
> > > >>How does one accomplish this?
> > > >
> > > >
> > > > Simply create some subdomain like this:
> > > >
> > > > nomail.sonologic.nl IN TXT "v=spf1 -all"
> > > >
> > > > then on all domains from which you don't want any mail, do:
> > > >
> > > > www.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> > > > *.sonologic.nl IN TXT "v=spf1 redirect:nomail.sonologic.nl"
> > > >
> > > > like that.. the wildcard catches only those domains for which no other
> > > > DNS record (A, CNAME, ...) exists, but that's how dns works.
> > > >
> > > >
> > > >>Next on my list is to implement SPF in my mailserver :) I suppose I
> > > >>need SRS as well if I plan on doing any forwarding....
> > > >
> > > >
> > > > Correct.
> > > >
> > > > Koen
> > > >
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your subscription,
> > please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

>Again this doesn't cover the domains which have other records. If I have
>www.sonologic.nl IN A 1.2.3.4, then *.sonologic.nl IN TXT "bla" will NOT
>cover www.sonologic.nl.
>
>
Ugh ... I think you lost me.. Why would that not cover www ? I would
expect that if there were a www TXT record, it would be preferred over
the wildcard record because it's more specific, but in the absence of a
TXT record, why would the wildcard not cover it?

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Jason,

Koen was not saying that www should not be covered--it in fact should and needs to be.

Koen was saying that a "*" record, such as *.sonologic.nl, does NOT mean "any record that ends in '.sonologic.nl'". It means "any record that ends in '.sonologic.nl' THAT DOES NOT HAVE ITS OWN RECORD"

So, if you have in your DNS:
www.sonologic.nl IN A 1.2.3.4
*.sonologic.nl IN TXT "v=spf1 -all"

the result of a DNS query asking for a TXT record for www.sonologic.nl would be NO RECORD, not "v=spf1 -all".

Marc
>
> From: "Jason 'XenoPhage' Frisvold" <friz@godshell.com>
> Date: 2004/07/29 Thu PM 04:22:42 EDT
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] General SPF setup question
>
> Koen Martens wrote:
>
> >Again this doesn't cover the domains which have other records. If I have
> >www.sonologic.nl IN A 1.2.3.4, then *.sonologic.nl IN TXT "bla" will NOT
> >cover www.sonologic.nl.
> >
> >
> Ugh ... I think you lost me.. Why would that not cover www ? I would
> expect that if there were a www TXT record, it would be preferred over
> the wildcard record because it's more specific, but in the absence of a
> TXT record, why would the wildcard not cover it?
>
> --
> ---------------------------
> Jason 'XenoPhage' Frisvold
> Engine / Technology Programmer
> friz@godshell.com
> RedHat Certified - RHCE # 803004140609871
> MySQL Pro Certified - ID# 207171862
> MySQL Core Certified - ID# 205982910
> ---------------------------
> "Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

marc@alaia.net wrote:

>Jason,
>
>Koen was not saying that www should not be covered--it in fact should and needs to be.
>
>
Understood, maybe I mis-typed what I meant.. I know that it *should* be
covered, I was curious why the wildcard did not cover it..

>Koen was saying that a "*" record, such as *.sonologic.nl, does NOT mean "any record that ends in '.sonologic.nl'". It means "any record that ends in '.sonologic.nl' THAT DOES NOT HAVE ITS OWN RECORD"
>
>
So, a record, whether it's an A, CNAME, or TXT, is a record.. Based on
that, how does the wildcard help at all? My initial question was
whether or not you had to create an SPF record for every DNS entry you
have. ie, if I have a full class C of addresses being used for dialup,
and I have them dns'ed as d001.godshell.com, d002.godshell.com, etc, do
I have to create a TXT record for each of these?

I thought that the *.godshell.com record would cover that. But, if an
existing A record counts as an existing record, then the wildcard won't
cover it... In that case, what use is the wildcard record?

I know I'm missing something fundamental here.. I just don't know what
it is... :)

>So, if you have in your DNS:
>www.sonologic.nl IN A 1.2.3.4
>*.sonologic.nl IN TXT "v=spf1 -all"
>
>the result of a DNS query asking for a TXT record for www.sonologic.nl would be NO RECORD, not "v=spf1 -all".
>
>
And that's the exact point that confuses me... I guess I'm just going
to have to try it out and see what happens... :)

>Marc
>
>

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Jason 'XenoPhage' Frisvold wrote:

> marc@alaia.net wrote:
>
>> Koen was saying that a "*" record, such as *.sonologic.nl, does NOT
>> mean "any record that ends in '.sonologic.nl'". It means "any record
>> that ends in '.sonologic.nl' THAT DOES NOT HAVE ITS OWN RECORD"
>
> So, a record, whether it's an A, CNAME, or TXT, is a record.. Based
> on that, how does the wildcard help at all? My initial question was
> whether or not you had to create an SPF record for every DNS entry you
> have. ie, if I have a full class C of addresses being used for
> dialup, and I have them dns'ed as d001.godshell.com,
> d002.godshell.com, etc, do I have to create a TXT record for each of
> these?
>
> I thought that the *.godshell.com record would cover that. But, if an
> existing A record counts as an existing record, then the wildcard
> won't cover it... In that case, what use is the wildcard record?

I've answered my own question by trying this out... :) The wildcard
protects you from someone spoofing a domain and getting through SPF
because no record would be returned...

I get it.. I understand now.. :)

So, all in all, I need a wildcard record, and a specific record for each
domain. Annoyingly painful, but I guess it's doable...

It would be nice if there was a way to specify a specific subnet as not
SPF approved... It still looks like I need to put a specific TXT record
in for each dialup DNS record... :(

Thanks!

--
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz@godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming."

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Jason 'XenoPhage' Frisvold wrote:

> what use is the wildcard record?

If you have (a lot of) vanity hosts like xyzzy.claranet.de,
foobar.claranet.de, etc. you need only one wildcard record

* TXT "v=spf1 redirect=claranet.de"

or a similar sender policy. But it doesn't cover real hosts
like www.claranet.de I used my ISP as example, bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Thu, Jul 29, 2004 at 04:22:42PM -0400, Jason 'XenoPhage' Frisvold wrote:
> Koen Martens wrote:
>
> >Again this doesn't cover the domains which have other records. If I have
> >www.sonologic.nl IN A 1.2.3.4, then *.sonologic.nl IN TXT "bla" will NOT
> >cover www.sonologic.nl.
> >
> >
> Ugh ... I think you lost me.. Why would that not cover www ? I would
> expect that if there were a www TXT record, it would be preferred over
> the wildcard record because it's more specific, but in the absence of a
> TXT record, why would the wildcard not cover it?

Well, that's the way it works :) Again, it's an rfc thingy , i can't
seem to locate which rfc specifically but it's probably somewhere in
http://rfc.net/rfc1035.html or possibly http://rfc.net/rfc1034.html.

As soon as you define an explicit record for a given domain, the
wildcard does not match that domain anymore, for any record.

-----

About the "v=spf -all" instead of "v=spf1 redirect:bla" mentioned in
another post in this thread: that's right.. maybe i was just thinking
too much along 'but what if i want to change the policy, then i have to
go by all the domains and change the txt'. Of course, this doesn't
really matter for nomail domains, only for domains that you do send mail
from.

Koen
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com