The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spf record question

Discussion in 'General Discussion' started by r00t pAsSw0rd, Nov 8, 2006.

  1. r00t pAsSw0rd

    r00t pAsSw0rd Active Member

    Joined:
    Sep 14, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Checked the SPF using the tool at:

    http://senderid.espcoalition.org/

    It reports a softfail with the current SPF. It needs to pass.

    Report:

    MAIL FROM: user@domain.org
    PRA: user@domain..org
    SPF-Record-Classic: v=spf1 a mx ~all
    SPF-Record-MFROM Scope: v=spf1 a mx ~all
    SPF-Record-PRA Scope: v=spf1 a mx ~all

    SPF-Method Result: softfail(domain.: domain of
    transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

    SenderID-MFROM-Method Result: softfail(domain..org: domain of
    transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

    Why am I getting that error?

    Domain uses xxx.xxx.120.4 IP (static).

    server IP is xxx.xxx.65.54

    dnsreport shows

    You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is:
    "v=spf1 a mx a:mittens.dynalias.org" [TTL=14400]

    I added this in the domain's named record

    domain..org. IN TXT "v=spf1 a mx a:mittens.dynalias.org"

    Is this correct?
     
  2. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    domain.org. IN TXT "v=spf1 a mx ip4:xxx.xxx.65.54 -all"

    If you really want to support the SPF concept (and not just "say" you have an SPF record), you should use -all (vs ~all) in your SPF record. If the receiving mail server is doing any type of SPF check, -all indicates that unless the mail originates from the source(s) specified in the SPF record, it is not legitimate mail from your domain. What happens to that mail on the receiving end based on those results is determined by the admin, the same way you can make similar decisions when mail arrives into your server.

    Using ~all produces a neutral response which IMHO is of little use if you are serious about cutting down on spam.
     
  3. d33pa

    d33pa Registered

    Joined:
    Feb 11, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.
     
  4. sierrablue

    sierrablue Member

    Joined:
    Aug 30, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Try domain..org. IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx -all" where xxx.xxx.xxx.xxx is IP of your host and NOT your domain IP
     
  5. sierrablue

    sierrablue Member

    Joined:
    Aug 30, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    ~all gives softfail, -all gives fail.

    Hotmail for example, will forward your mail to recipient junk folder if you have softfail terminator (~all), even if your mail passes the SPF check.
     
  6. freedog96150

    freedog96150 Well-Known Member

    Joined:
    Mar 25, 2005
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Nevada, USA
    I found that by including the "include:ISP.NAME" directive in the SPF record that many of my problems disappeared with respect to the soft fails. For me that exact line is "include:verizon.net", but then I use my ISP's SMTP server for all outgoing mail and not my domain's SMTP server. You mileage may vary.
     
  7. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    To me, this is the weakness in the SPF feature.
    It's great if you are mailing from one place all the time.
    But what of the road warriors?

    To say that email from domain.com is valid 'only' from domain.com or ISP.net will cause issues when sending from any other location.

    I know a few servers that tried to filter based on SPF fail, and then realized how much legitimate mail was getting blocked.

    -all is only good if you are sure you will never, ever send mail from another ISP provider. Remember that some ISPs block port 25.

    SPF is a good scoring tool. If it passes, good. If it soft-fails, more should be done to determine if it's spam.
     
  8. Sam Hobbs

    Sam Hobbs Member

    Joined:
    Aug 20, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    California
    I am not an expert; until a couple of days ago, I knew virtually nothing about SPF records. I did however look at the openspf.org web site and I subscribed to one of their mailing lists.

    It is still quite confusing to me, but the experts did say that I should use -all.
     
  9. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    how would one include this in the zone templates, so that all new domains automatically get the SPF records?


    Running the SPF Setup Wizzard on http://old.openspf.org/wizard.html, gave me the following:
    Code:
    "v=spf1 a mx ptr ~all"
    
    Is this all I need?
     
  10. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I believe the technology is not in wide-spread use yet, and part of the reason is that documentation on the issue seems to vary, making it more confusing than it ought to be.

    I am waiting for Cpanel to include this in their software so we don't have to add these manually. It seems like a logical thing for a control panel software to do.
     
Loading...

Share This Page