Are SPF records checked per Domain or per IP/server?
I have one user who uses a blackberry on his domain, making it so that mail sent from it fall outside the scope of my regular SPF record. I'm interested in adding blackberry's smtp servers to the SPF record on his domain, but is that all I should do?
his domain might be clientdomain.com, but the email headers say that the mail from that domain actually comes from mail.serverdomain.com
So should the blackberry-friendly spf records also apply to the serverdomain.com's spf record?
Every e-mail message has a single envelope-from sender. This is the domain that the SPF record is looked up on.
When you look at a message headers, the envelope sender is the address in the header Return-path.
A server that performs an SPF check will take the domain of that value, look up the SPF record for that domain and see if the server that sent it that message is in that sending list.
One thing to note, if you are adding an IP to an SPF record, you can't necessarily assume that the sending IP is the same as the mail server that is used to send the message.
For example, a user might send out a message from their domain using the SMTP server:
smtp.blackberry.com
A common misconception is that you can just perform a DNS lookup for smtp.blackberry.com and enter that IP address in the domain's SPF record. This is not always the case.
smtp.blackberry.com might refer to an incoming mail server only, a Message Submission server instead of an actual mail relayer.
The IP address for smtp.blackberry.com might resolve to 255.23.34.231 but that server actually relays the message to another server that actually sends it out through the Internet. That server's IP address might be 255.23.34.232.
If you add 255.23.34.231 to the domain's SPF record, then the SPF lookup will still fail, because the sending IP (255.23.34.232) is not in the list. This is one thing to consider with SPF.
LinkBack URL
About LinkBacks
Reply With Quote