The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPF - how to ?

Discussion in 'General Discussion' started by netlook, Dec 3, 2004.

  1. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I want to make my hosting SPF-CORRECT.

    I have some around 2200 dns entries on 6 servers. Anybody can tell me how to smothly turn my hosting SPF-CORRECT, to update all DNS entries, and what should I put as TXT entrie in each DNS zone?

    Maybe there is any cPanel AddOn which can help me? And another thing - how to change my cPanel configuraton to have new accounts automaticaly created with SPF entires?

    http://spf.pobox.com/

    Thank you
     
  2. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Did you ever find out how to properly setup spf with cpanel?
     
  3. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Nope, but I think only well wrote script in PERL can do this for us :) No support from cPanel...
     
  4. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    I was wanting to do this too, but ran into problems..

    1) there are 2 different formats for the zone files. ( older style and newer style )
    2) you can not add it as the last entry ( not sure if this has been fixed yet.. )


    Both of which making adding an entry not the easiest thing.


    Kind of like the old updateserial script ( I was at first going to try and modify that, but then found it will not work on the new format of the zone files... so I gave up on that idea )

    Hope someone comes up with a good script for this.. I would like to find one, that is for sure.
     
  5. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    This would be imporrible to do without upsetting your clients. Many of your clients may be sending email using the SMTP servers of their ISP. Unless you know who their ISP is, your efforts will be futile.

    If you know they are not using their ISP, you should set all SPF records to just
    "v=spf1 ip4:1.2.3.4 ~all"
    where 1.2.3.4 is the main IP of the server.
     
  6. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    I personally would not want my clients to use thier ISP, They should be using our servers, anyways for sending mail for thier domain.

    But that still does not fix the problems of how to set both versions of Zone files..
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    In the DNS Zone editor you would use:

    For those with clients that may use forwarders, or use SMTP services from their ISP ( quite common ):

    %domain%. IN TXT "v=spf1 ip4:1.2.3.4 ?all"

    The ?all essentially means wildcard, and the mail can origonate from anywhere. Using the above assentially makes you SPF compliant, but does little ( if anything at all ) to help prevent spoofing etc.

    For those with clients that use your provided SMTP servers and you are sure use NO forwarders:

    %domain%. IN TXT "v=spf1 ip4:1.2.3.4 ~all"

    The ~all means, mail should ONLY be accepted IF it comes from the IP address listed in the record.

    There are other more advanced solutions you can implement. Use the wizard provided here:
    http://spf.pobox.com/wizard.html

    Now, take the above with a grain of salt. I have yet to implement this myself, though i've researched the topic quite a bit.

    Remember to replace the 1.2.3.4 IP above with your main server IP for which mail routes through.

    Also, for good measures ( I'm not sure if its totally necessary or might conflict somehow ), you could also add the hostname for which the IP resolves to. For example:

    "v=spf1 ip4:1.2.3.4 a:servername.domain.com ~all"

    Adding this to the bottom of the list of records in the zone editor should be sufficient. Remember to test it out before setting it live on your server!
     
  8. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I'm not sure what you mean by the 2 different formats, can you explain a little further ?

    Are you saying that adding the above records to your zone editor have no effect on newly created domains or cause other issues ? If so, and either way, can we have a little more detailed information on this ?
     
  9. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    some isp's limit outgoing mail to their smtp server only, actually a good majority are doing this now. so that might screw over some people
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Offering SMTP on a second port usually gets around that limitation.
     
  11. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    Yeah, offering SMTP on another port is great way around the ISP blocking port 25 ( some time with the amount of spam that comes from various ISP's wish the rest of them would just block it all or at least do some thing to limit/watch what is being sent out, cause alot of spam comes from ADSL and cable modem accounts ) Back to the real issue.


    Have you not noticed there are two different formats of the zone file:

    Here is one:
    PHP:
    $ORIGIN .
    $TTL 14400      4 hours
    domain
    .com                IN SOA  dns1.host.comemail.host.com. (
                                    
    2004021400 serial
                                    28800      
    refresh (8 hours)
                                    
    7200       retry (2 hours)
                                    
    3600000    expire (5 weeks 6 days 16 hours)
                                    
    86400      minimum (1 day)
                                    )
                            
    NS      dns1.host.com.
                            
    NS      dns2.host.com.
                            
    NS      dns3.host.com.
                            
    A       999.999.999.999
                            MX      0 domain
    .com.
    $ORIGIN domain.com.
    ftp                     A       999.999.999.999
    localhost               A       127.0.0.1
    mail                    CNAME   domain
    .com.
    www                     CNAME   domain.com.

    Here is the other:
    PHP:
    cPanel
    Zone file for domain.com
    $TTL 14400
    @      IN      SOA     dns1.host.comemail.host.com. (
                    
    2004040101      serialtodays date+todays
                    14400           
    refreshseconds
                    7200            
    retryseconds
                    3600000         
    expireseconds
                    86400 
    )         ; minimumseconds

    domain
    .comIN NS dns1.host.com.
    domain.comIN NS dns2.host.com.
    domain.comIN NS dns3.host.com.

    domain.comIN A 999.999.999.999

    localhost
    .domain.comIN A 127.0.0.1

    domain
    .comIN MX 0 domain.com.

    mail IN CNAME domain.com.
    www IN CNAME domain.com.
    ftp IN A 999.999.999.999
    The problem comes down to, being able to change 100's to 1,000's of zone files at one time, and to accomodate for both of the above styles of the zone file.

    Simply dropping it in at the end of it, is not good enough, cause if you drop it in the wrong format, you simply kill DNS on that domain.

    Also if you notice, the spacing is totaly different too. ( be nice if all the old style could easily be updated to the new style, then doing changes on a mass scale would not be so bad )
     
    #11 Faldran, Jan 17, 2005
    Last edited: Jan 17, 2005
  12. hostnow

    hostnow Registered

    Joined:
    Oct 8, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Where in the DNS zone

    Where can I put the SPF record in the DNS edit zone of a domain?

    Thanks
     
Loading...

Share This Page