Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
Help/confusion with SPF rollout
spf at davidcross
Aug 16, 2004, 11:43 AM
Post #1 of 9 (2600 views)
Permalink
Hi,

I need clarification about a couple of aspects of SPF implementation on
which I have received two differing opinions, but from two people who are
well-versed about most Internet technical matters.

1: I have a server hosting a domain - somedomain.com

2: I run my own DNS at ns1.somedomain.com and ns2.somedomain.com

3: The domain in #1 has the mail server/MX at mail.somedomain.com

4: I host a number of other domains on the server, and host their zones in
my DNS, too.

5: The mail server in #3 is the mail exchanger/server/MX for all domains
in #4

6: Both I and other domains' users connect to the Internet through our own
respective ISPs and send email via one of two methods:

i. Through the SMTP service on my server, with a
user@theirdomain.com as their From address

ii. Through the SMTP service on their own ISP, with a
user@theirdomain.com as their From address

7: There are 30 domains, 150 diverse "From" addresses across those
domains, and 50 different ISPs people connect from.


Clarification on...

A. One person says that only in scenario 4:ii would every single ISP
through whom people connect be need to be added to the SPF records of the
individual domains and the master domain "somedomain.com"

B: The other person says that in both 4:I and 4:ii every ISP would need to
appear in the SPF

Or is it yet a different scenario?

And my question, what should the SPF be:

i. For somedomain.com

ii. For every other domain on the server

Thank you very much!
David


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
spf at kitterman
Aug 16, 2004, 11:59 AM
Post #2 of 9 (2585 views)
Permalink
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of spf@davidcross.com
> Sent: Monday, August 16, 2004 2:43 PM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Help/confusion with SPF rollout
>
>
> Hi,
>
> I need clarification about a couple of aspects of SPF implementation on
> which I have received two differing opinions, but from two people who are
> well-versed about most Internet technical matters.
>
> 1: I have a server hosting a domain - somedomain.com
>
> 2: I run my own DNS at ns1.somedomain.com and ns2.somedomain.com
>
> 3: The domain in #1 has the mail server/MX at mail.somedomain.com
>
> 4: I host a number of other domains on the server, and host their zones in
> my DNS, too.
>
> 5: The mail server in #3 is the mail exchanger/server/MX for all domains
> in #4
>
> 6: Both I and other domains' users connect to the Internet through our own
> respective ISPs and send email via one of two methods:
>
> i. Through the SMTP service on my server, with a
> user@theirdomain.com as their From address
>
> ii. Through the SMTP service on their own ISP, with a
> user@theirdomain.com as their From address
>
> 7: There are 30 domains, 150 diverse "From" addresses across those
> domains, and 50 different ISPs people connect from.
>
>
> Clarification on...
>
> A. One person says that only in scenario 4:ii would every single ISP
> through whom people connect be need to be added to the SPF records of the
> individual domains and the master domain "somedomain.com"
>
> B: The other person says that in both 4:I and 4:ii every ISP would need to
> appear in the SPF
>
> Or is it yet a different scenario?
>
> And my question, what should the SPF be:
>
> i. For somedomain.com
>
> ii. For every other domain on the server
>
> Thank you very much!
> David
>
The TXT record for each domain should indicate the designated senders for
that domain.

#1 might be as simple as TXT "v=spf1 mx -all"
#2 might be more like TXT "v=spf1 mx ?include:isp.net -all"
or TXT "v=spf1 mx ?ip4:1.2.3.0/24 -all"

Note that you can only use include if isp.net has an SPF record. Also, I
suggest ?include: or ?ip4: since the isp in question presumably permits
cross customer forgery, you wouldn't want spam sent by another customer of
isp.net to get an SPF pass from your domain. The ? means neutral, treat
this as if SPF was not used. The key is to get to where you can put -all at
the end of the record so that e-mail sent via non-permitted senders will be
identified as a forgery.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Help/confusion with SPF rollout [ In reply to ]
spf at davidcross
Aug 16, 2004, 1:01 PM
Post #3 of 9 (2593 views)
Permalink
>>>#1 might be as simple as TXT "v=spf1 mx -all"

So I would NOT need to put my own ISP or sending "locations" from - like
this...?

IN TXT "v=spf1 a mx a:yourisp.net"

(I connect from a variety of mobile locations, wireless, etc., and never
know which ones until I have connected)


>>>#2 might be more like
TXT "v=spf1 mx ?include:isp.net -all"
or
TXT "v=spf1 mx ?ip4:1.2.3.0/24 -all"
>>>

What is the IP in there...?

?ip4:1.2.3.0/24

What values go in the 1.2.3.0/24?

Thank you
David

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
spf at kitterman
Aug 16, 2004, 1:06 PM
Post #4 of 9 (2587 views)
Permalink
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of spf@davidcross.com
> Sent: Monday, August 16, 2004 4:01 PM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Help/confusion with SPF rollout
>
>
> >>>#1 might be as simple as TXT "v=spf1 mx -all"
>
> So I would NOT need to put my own ISP or sending "locations" from - like
> this...?
>
> IN TXT "v=spf1 a mx a:yourisp.net"
>
> (I connect from a variety of mobile locations, wireless, etc., and never
> know which ones until I have connected)

It's a function of the SMTP server you are using, not the connection, so if
you are always hitting your own SMTP server, then you ought to be covered.
If you are using other people's SMTP server, then they need to be included.
>
>
> >>>#2 might be more like
> TXT "v=spf1 mx ?include:isp.net -all"
> or
> TXT "v=spf1 mx ?ip4:1.2.3.0/24 -all"
> >>>
>
> What is the IP in there...?
>
> ?ip4:1.2.3.0/24
>
> What values go in the 1.2.3.0/24?
>
If the ISP doesn't publish an SPF record, then you have to guess. The way
I've done this is to send a number of messages via their SMTP server to
another account of mine and then look in the e-mail headers to see what
range of IP addresses they are using.

There is a certain risk of error with this. If you end up in this
situation, I would recommend asking the ISP to publish and SPF record so
that eventually you can use include: instead of trying to guess their IP
addresses.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
spf at davidcross
Aug 16, 2004, 1:38 PM
Post #5 of 9 (2580 views)
Permalink
>>>If the ISP doesn't publish an SPF record, then you have to guess. The
way I've done this is to send a number of messages via their SMTP server to
another account of mine and then look in the e-mail headers to see what
range of IP addresses they are using.

That sounds complex bordering on impossible if I have to include every ISP
any user may send through. The old "new account in email client pretending
to be "From" trick is over, if I am not mistaken?

So, for domains on my server I am going therefore to stipulate that anyone
using a "From" address of one of these domains MUST send through my SMTP
server.

In that case, do I still have to include the details of the ISP they
*connect* through, even though they are sending through my SMTP? If so, how
the hell do I keep updated with such an onerous list?

Thanks
David


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
spf at kitterman
Aug 16, 2004, 1:44 PM
Post #6 of 9 (2576 views)
Permalink
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of David Cross
> Sent: Monday, August 16, 2004 4:38 PM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] Help/confusion with SPF rollout
>
>
> >>>If the ISP doesn't publish an SPF record, then you have to guess. The
> way I've done this is to send a number of messages via their SMTP
> server to
> another account of mine and then look in the e-mail headers to see what
> range of IP addresses they are using.
>
> That sounds complex bordering on impossible if I have to include every ISP
> any user may send through. The old "new account in email client pretending
> to be "From" trick is over, if I am not mistaken?
>
> So, for domains on my server I am going therefore to stipulate that anyone
> using a "From" address of one of these domains MUST send through my SMTP
> server.
>
> In that case, do I still have to include the details of the ISP they
> *connect* through, even though they are sending through my SMTP?
> If so, how
> the hell do I keep updated with such an onerous list?
>
> Thanks
> David

If you want to enforce that policy, then that will definitely simplify
things. If all mail will be sent through your SMTP server, then you do not
have to add anything about their ISP.

As far as keeping up, you're right, that would be tough. That's why I
suggested contacting the ISP and asking them to publish SPF records.
Verizon is one large US ISP that does publish SPF (there are no doubt
others, but that's the one I'm familiar with since I'm a customer of
theirs).

Scott Kitterman

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Help/confusion with SPF rollout [ In reply to ]
spf at metro
Aug 16, 2004, 2:42 PM
Post #7 of 9 (2534 views)
Permalink
On Mon, Aug 16, 2004 at 01:38:29PM -0700, David Cross wrote:
> That sounds complex bordering on impossible if I have to include every ISP
> any user may send through. The old "new account in email client pretending
> to be "From" trick is over, if I am not mistaken?

Well, unless you can set MAIL FROM and From: to different values: yes.
And good riddance too, while it is extremely useful it also opens the
gates for spamspamspam with spam and spam.. and more spam with spam..

;)

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
spf at davidcross
Aug 16, 2004, 2:48 PM
Post #8 of 9 (2554 views)
Permalink
>>>while it is extremely useful it also opens the gates for spamspamspam
with spam and spam.. and more spam with spam..

Wot, no eggs...or beans?!

Point well taken. And lest we now ask, "...is this the 5 minute SPF thread
or the full half hour..." thanks for your help.

David


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
RE: Help/confusion with SPF rollout [ In reply to ]
lists at clifford
Aug 16, 2004, 6:17 PM
Post #9 of 9 (2563 views)
Permalink
On Mon, 16 Aug 2004, David Cross wrote:

DC> >>>If the ISP doesn't publish an SPF record, then you have to guess. The
DC> way I've done this is to send a number of messages via their SMTP server to
DC> another account of mine and then look in the e-mail headers to see what
DC> range of IP addresses they are using.
DC>

I sent a message to myself via my phone, then looked up "whois" for the ip
number. This gave me a range of ips for the supplier.

--
Alan


( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal