SPF Record

[GoWilkes]

I'm lost as can be when it comes to creating a SPF record. I understand that I need it, I just don't understand what it does, or how to implement it.

In an attempt to make heads or tails out of it, I used the wizard to create a record:
http://old.openspf.org/wizard.html

It might just be because it's 5am, but I'm not 100% sure that I even understand the questions!

The name of the server is server1.web-wilkes.com, and the domain that I'm creating this for is gowilkes.com. Most emails use the SMTP server mail.gowilkes.NET (not .com), although I also send emails through gowilkes.com and, occassionally, wildblue.net (if my server is running slow or giving me a problem). In all cases, the return address is through gowilkes.com.

First question: do I need to include gowilkes.net and wildblue.net in this record? Neither account is on this server, so I don't get how this would have an impact, but the wizard sure made it sound like it does.


Next question.

Here is the record that I came up with:
gowilkes.com. IN TXT "v=spf1 a mx include:gowilkes.net ~all"

Now that I have it, what do I do with it??? The wizard just said "put this in your zone file." Eh? Where's the zone file?


Next question.

The wizard also gave me the following record:
server1.web-wilkes.com. IN TXT "v=spf1 a -all"

For an explanation, it said "if you know which hostname your mail server uses in its HELO command, you should pick out the appropriate entries and ignore the rest." This is the only entry it gave, but how would I know which hostname my mail server uses in its HELO command?

Assuming that it is correct, the instructions said "this should also appear in DNS." Eh? Where's the file to edit for DNS?


Please don't think that I'm being lazy and asking you guys to do the legwork for me on this one, because that's not true. I've read over the openspf.org info a dozen times over the last several months, and if I didn't know better then I would just swear that it's written in Russian! :-) The more that I read it, the less sense it makes, so I'm having to turn to the pros to translate for me.

TIA,

Jason

[vanessa]

Question 1: A-Record


The wizard will attempt to resolve the domain to an IP, then do a rDNS on the IP for a hostname. Click YES


Question 2: MX-Record


In most cases, this will be true. Exceptions for this is if you have an irregular MX record modification, or are using another outgoing mail server or domain to send mail. (like your ISP)



Question 3: PTR


Typically, you do not want to enable this setting unless the you have mail accounts set up for subdomains or have domains that are similar in ending that need to relay through this domain.



Question 4: A subs


The answer is usually no. The only other server that would send on behalf of that domain would be the servername , but this was already allowed in question 1. The next two fields can be left blank, unless you specifically have the information to add to them.



Question 5: Include



Fill in this field mainly if you are planning on using another mail server or domain (such as your ISP, etc) to send mail. Otherwise say no.


Question 6: ~all

Check your answers and hit yes.


The typical SPF looks like this:

"v=spf1 a mx ~all"


Adding the Zone Entry

You can add the SPF record either WHM (easy) or manually in the zone file of that domain (Not as easy).

The line will look something like this:

domain.com. 14400 IN TXT "v=spf1 a mx ~all"

[verdon]

Or you could refuse to support something that's non-standards compliance...

Just sort of kidding, but I've not used SPFs yet and don't seem to be having any issues because of it. Vanessa, your answer is very clear and thoughtful and I have found it informative. Thank You. If I ever do go the SPF route, I will surely refer to it.

There is some interesting reading on SPF in this thread too
integration of SPF checking with exim?

[sehh]

Anyone knows whats the difference between "~all" and "-all"?

[MichaelFindlay]

Quote:

Originally Posted by sehh

Anyone knows whats the difference between "~all" and "-all"?

I believe one is used as for Server Hostnames, for stuff like formail etc.

[sehh]

Nope wrong, apparently "~all" is a Soft Fail, which can be used by admins when they first install SPF records, thus failed emails will only be marked as failed, while "-all" is a Fail and the emails will be rejected.

So use "~all" for testing and then move them to "-all" once you are done testing.

[rs-freddo]

Quote:

Originally Posted by sehh

Nope wrong, apparently "~all" is a Soft Fail, which can be used by admins when they first install SPF records, thus failed emails will only be marked as failed, while "-all" is a Fail and the emails will be rejected.

So use "~all" for testing and then move them to "-all" once you are done testing.

Use "~all" if you want an SPF record but don't want it to do anything (most people using SPF for anti-spam will not refuse a soft-fail). Use "-all" if you want your mail rejected because over time something changed. If you don't believe in the non-standards SPF system then "~all" is for you - it's the SPF system you have when you don't want SPF.

[pjman]

I migrated servers and had a terrible change in email deliverability for large email lists to specifically to hotmail/msn. The culprit was "~all". This increases your spam score slightly when you have a newer server. Once I switched to "-all", a lot more messages got through.

If you have a server that has been actively sending mail for more than 5 months, it really doesn't matter. But, it helps you when you first start.

[SageBrian]

Part of the problem with -ALL is that you need to explicitly state where the emails can come from.

For most who only use email from home or from the office, this is fine. But for anyone that is mobile, it can be a problem.

On the road, they might be using a different outgoing mailserver, and using -ALL is telling any receiving server that this mail is not valid.

[sehh]

Thats not entirely true.

If you are mobile, you'll be using your own mail server (mail.yourserver.com, port 25) to send out emails, as if you are at home or at the office.

The only way you'll have problems is if the ISP you are using while mobile is not allowing you to access port 25. Easily solved by letting Exim listen on an alternative port.

So SPF with "-all" works fine and you shouldn't have a reason to use anyone else's email server to send out emails.

[SageBrian]

Quote:

Originally Posted by sehh

Thats not entirely true.

If you are mobile, you'll be using your own mail server (mail.yourserver.com, port 25) to send out emails, as if you are at home or at the office.

The only way you'll have problems is if the ISP you are using while mobile is not allowing you to access port 25. Easily solved by letting Exim listen on an alternative port.

So SPF with "-all" works fine and you shouldn't have a reason to use anyone else's email server to send out emails.

in a perfect world, yes.
But, AOL 'allows' you to connect on port 25 to your own server. Whoops... it appears that they do but it is actually using AOL's servers. So, you would think you are using your own mailserver, never knowing that you aren't.

Also, what about Blackberry's, where people are sending mail out with their business return address, but sending from their Blackberry? There are so many variables for a mobile user.

For stationary people, -all is good.

On the receiving end, SPF should not be used as a block. Instead it should just be used as part of a scoring system.

[Marktek]

Quote:

Originally Posted by SageBrian

in a perfect world, yes.
But, AOL 'allows' you to connect on port 25 to your own server. Whoops... it appears that they do but it is actually using AOL's servers. So, you would think you are using your own mailserver, never knowing that you aren't.

Also, what about Blackberry's, where people are sending mail out with their business return address, but sending from their Blackberry? There are so many variables for a mobile user.

For stationary people, -all is good.

On the receiving end, SPF should not be used as a block. Instead it should just be used as part of a scoring system.

Actually, you would want to have port 26 or 587 open if you use AOL, Comcast, Bellsouth and so on. They all do block port 25 so opening up port 26 or 587 resolves that.

The SPF issue, using PDAs and Blackberries, cell phones and mobile devices. The SPF wouldn't affect that if you are using the email server specified in the SPF record.