I am just 1 day into implementing spf which will eventually be done for all
our dns hosted domains. I am doing dns first, then i must patch our gateway.
I am going to display my entire dns host zone record (live test domain but i
own it so i can play with it) here since it is reasonably short. This is a
test domain before I modify our production domains (several have more than
800 A records :( )
Here is the record first, then there are some questions, one is about what the
wizard said.
$ORIGIN .
$TTL 86400 ; 1 day
forestoflives.com IN SOA ns1.sbbsnet.net.
sysadmin@sbbsnet.net. (
2004080801 ; serial
3600 ; refresh (1 hours)
900 ; retry (15 min)
259200 ; 3 days
86400 ; minimum (1 day)
)
NS ns1.sbbsnet.net.
NS ns.sbbsnet.net.
NS ns2.sbbsnet.net.
NS ns3.sbbsnet.net.
A 64.113.34.18
TXT "v=spf1 a mx -all"
MX 10 mailproc.sbbsnet.net.
$ORIGIN forestoflives.com.
www A 64.113.39.8
kamomo A 64.113.39.8
localhost A 127.0.0.1
news CNAME news.sbbsnet.net.
nntp CNAME news-feeds.sbbsnet.net.
pop3 A 64.113.34.18
smtp A 64.113.34.6
webmail CNAME pop3.forestoflives.com.
Now a little explanation. the primary zone ip is our pop3 server ip.
mailproc.sbbsnet.net mx record is our system wide smtp gateway. every domain
uses it (more than 400) and nothing can go to the outside world nor can it
come into our pop server without passing through mailproc. To simplify for
our customers we include an smtp.domain A record which is the ip address for
mailproc. During mail negotiations however, mailproc identifies itself as
only mailproc.sbbsnet.net. We use webmail on our pop3 server. Outgoing from
that is directed to mailproc again. The same goes for our web server for form
mailings.
I know I have to put an spf record for every A record that does not send mail
denying the ability to use mail at all. I have not done that yet. I believe
it would be the form:
hostname IN TXT "v=spf1 -all"
so a real life situation from above would be
kamomo A 64.113.39.8
kamomo TXT "v=spf1 -all"
yes?
For specific reasons, any mail coming from website forms and destined to our
local pop server must use the form account@pop3.hosteddomain in the to:,
however the from is never from account@www1.sbbsnet.net or
account@www.hosteddomain, it is always a true email address of
account@hosteddomain. our web mailing scripts also use smtp auth with the
gateway since some are allowed to relay to their outside email address.
If i put a spf txt record for the www entry, and our gateway does spf
checking, should i put allow or deny in the TXT record for the www server?
I would think I could put deny in there since it does not send to the outside
world. I have not reviewed the patch information or config information to
determine if I need to do anything to allow mailproc to receive mail from
www1, but not from the outside if @www1.
As you can see I put the one spf TXT line for the domain in as per the wizard
but then the wizard made a comment which confused me. It said:
-----------------------------------
So this should also appear in DNS. You may or may not be in charge of the DNS
for these entries; if you are, add them.
mailproc.sbbsnet.net. IN TXT "v=spf1 a -all"
-------------------------------------
does this go in the above forestoflives zone record (which would be out of
zone data) and all other of our domains, or do I put this once in the sbbsnet
zone record?
---
Jesse
--
Jesse
"I wouldn't want to be Gamul, that's for sure!"
The Guild Chronicles:An Odyssey of Light
-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
our dns hosted domains. I am doing dns first, then i must patch our gateway.
I am going to display my entire dns host zone record (live test domain but i
own it so i can play with it) here since it is reasonably short. This is a
test domain before I modify our production domains (several have more than
800 A records :( )
Here is the record first, then there are some questions, one is about what the
wizard said.
$ORIGIN .
$TTL 86400 ; 1 day
forestoflives.com IN SOA ns1.sbbsnet.net.
sysadmin@sbbsnet.net. (
2004080801 ; serial
3600 ; refresh (1 hours)
900 ; retry (15 min)
259200 ; 3 days
86400 ; minimum (1 day)
)
NS ns1.sbbsnet.net.
NS ns.sbbsnet.net.
NS ns2.sbbsnet.net.
NS ns3.sbbsnet.net.
A 64.113.34.18
TXT "v=spf1 a mx -all"
MX 10 mailproc.sbbsnet.net.
$ORIGIN forestoflives.com.
www A 64.113.39.8
kamomo A 64.113.39.8
localhost A 127.0.0.1
news CNAME news.sbbsnet.net.
nntp CNAME news-feeds.sbbsnet.net.
pop3 A 64.113.34.18
smtp A 64.113.34.6
webmail CNAME pop3.forestoflives.com.
Now a little explanation. the primary zone ip is our pop3 server ip.
mailproc.sbbsnet.net mx record is our system wide smtp gateway. every domain
uses it (more than 400) and nothing can go to the outside world nor can it
come into our pop server without passing through mailproc. To simplify for
our customers we include an smtp.domain A record which is the ip address for
mailproc. During mail negotiations however, mailproc identifies itself as
only mailproc.sbbsnet.net. We use webmail on our pop3 server. Outgoing from
that is directed to mailproc again. The same goes for our web server for form
mailings.
I know I have to put an spf record for every A record that does not send mail
denying the ability to use mail at all. I have not done that yet. I believe
it would be the form:
hostname IN TXT "v=spf1 -all"
so a real life situation from above would be
kamomo A 64.113.39.8
kamomo TXT "v=spf1 -all"
yes?
For specific reasons, any mail coming from website forms and destined to our
local pop server must use the form account@pop3.hosteddomain in the to:,
however the from is never from account@www1.sbbsnet.net or
account@www.hosteddomain, it is always a true email address of
account@hosteddomain. our web mailing scripts also use smtp auth with the
gateway since some are allowed to relay to their outside email address.
If i put a spf txt record for the www entry, and our gateway does spf
checking, should i put allow or deny in the TXT record for the www server?
I would think I could put deny in there since it does not send to the outside
world. I have not reviewed the patch information or config information to
determine if I need to do anything to allow mailproc to receive mail from
www1, but not from the outside if @www1.
As you can see I put the one spf TXT line for the domain in as per the wizard
but then the wizard made a comment which confused me. It said:
-----------------------------------
So this should also appear in DNS. You may or may not be in charge of the DNS
for these entries; if you are, add them.
mailproc.sbbsnet.net. IN TXT "v=spf1 a -all"
-------------------------------------
does this go in the above forestoflives zone record (which would be out of
zone data) and all other of our domains, or do I put this once in the sbbsnet
zone record?
---
Jesse
--
Jesse
"I wouldn't want to be Gamul, that's for sure!"
The Guild Chronicles:An Odyssey of Light
-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com