What that says it that mail from ip:68.23.93.3 is legimitate. For all others
(?all) it's unknown. That might not be a bad place to start.
Eventually, you'll want to change to -all (everything else is a forgery),
but give yourself a chance to walk before you run. You may discover things,
for example if you mail a CNN article (as just one example) to someone, that
forges your e-mail address coming from the CNN server and that would fail an
SPF check. There are others. Give yourself a chance to make sure you know
what mail you consider legitimate will be left out of your SPF recrd's
definition of what is permitted before you switch to -all.
Here are the draft specs:
http://spf.pobox.com/rfcs.html You should particularly concentrate on:
http://spf.pobox.com/spf-draft-200406.txt because that's reflective of the design that is currently deployed.
Generally, you want your mail receivers covered as permitted senders because
they generate status messages in the name of your domain that you probably
don't want to be considered as forgeries. In your case though, there are
lots' of entities that no doubt have access to your backup MX
(smtp-relay.swbell.net). I don't think you want all of those people to be
permitted. I see two options:
1. Backup MX is rarely used, I can afford to leave that outside the
definition and some status messages may get lost.
2. Backup MX should be covered, but I don't want to open up to having
everyone with access to smtp-relay.swbell.net being able to send messages.
I think to solve this you would change your record to be:
"v=spf1 ip:68.23.93.3 ?mx ?all"
Your primary MX (and your SMTP server) still passes since it's at
ip:68.23.93.3 and your backup MX gets an unknown rather than a fail.
Obviously this doesn't matter now when you end your record in ?all, but it's
laying the foundation for eventually going -all.
Scott Kitterman
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of
> Nathan.Roberts@weastec.com
> Sent: Monday, August 02, 2004 2:34 PM
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] Newbie questions
>
>
> Koen,
> I do have only '1 outgoing mail server'. It is behind a firewall.
> In fact, everything of mine should be behind this firewall to send mail.
> So you are saying I can use "v=spf1 ip:68.23.93.3 ?all". What about all
> the other questions, does this setting overide those? Also, what does all
> this mean? Is there a document on this? Sorry, I'm not usually this
> stupid but why can't I just say stuff from 68.23.93.3 is me, otherwise its
> forged? Thanks!
>
> Nathan Roberts
>
>
>
>
>
> Koen Martens
>
> <spf@metro.cx>
>
> Sent by:
> To
> owner-spf-help@v2 spf-help@v2.listbox.com
>
> .listbox.com
> cc
>
>
>
> Subject
> 08/02/2004 01:42 Re: [spf-help] Newbie
> questions
> PM
>
>
>
>
>
> Please respond to
>
> spf-help@v2.listb
>
> ox.com
>
> Hi,
>
> The wizard is great, but it helps if you know what is going on behind
> it. If you only have 1 mail server (i assume you mean '1 outgoing mail
> server'), specifying that single server in your spf record is all you
> have to do. If the mail server is on an ip that is the same as your
> domain, a simple "v=spf1 a -all" would suffice (or ~all / ?all if you
> want to play it conservative). If it is not, you could use "v=spf1
> ip4:1.2.3.4 -all" where 1.2.3.4 is the ip of your outgoing mail server
> of course.
>
> Hope this helps,
>
> Koen
>
> On Mon, Aug 02, 2004 at 01:24:06PM -0400,
> Nathan.Roberts@weastec.com wrote:
> > I'm trying to get a SPF record setup for my company. I'm having some
> > difficulties though. I'm stuck on the second question!!
> >
>
> >
>
> > This wizard found 4 names for weastec.com's MX servers.
>
> > MX servers receive mail for weastec.com.
>
> > Do they also send mail from weastec.com?
>
> >
>
> > We only have 1 mail server here. What are these other names/servers?
>
> > Should I be concerned with this? Thanks!
>
> >
>
> >
> >
> >
> >
> > Nathan Roberts
> > Systems Analyst
> > Weastec Inc.
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> --
> K.F.J. Martens, Sonologic, http://www.sonologic.nl/
> Networking, embedded systems, unix expertise, artificial intelligence.
> Public PGP key: http://www.metro.cx/pubkey-gmc.asc
> Wondering about the funny attachment your mail program
> can't read? Visit http://www.openpgp.org/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate
> your subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
-------
Archives at
http://archives.listbox.com/spf-help/current/ Donate!
http://spf.pobox.com/donations.html To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com