spf record question

[r00t pAsSw0rd]

Checked the SPF using the tool at:

http://senderid.espcoalition.org/

It reports a softfail with the current SPF. It needs to pass.

Report:

MAIL FROM: [email protected]
PRA: [email protected]
SPF-Record-Classic: v=spf1 a mx ~all
SPF-Record-MFROM Scope: v=spf1 a mx ~all
SPF-Record-PRA Scope: v=spf1 a mx ~all

SPF-Method Result: softfail(domain.: domain of
transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

SenderID-MFROM-Method Result: softfail(domain..org: domain of
transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

Why am I getting that error?

Domain uses xxx.xxx.120.4 IP (static).

server IP is xxx.xxx.65.54

dnsreport shows

You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is:
"v=spf1 a mx a:mittens.dynalias.org" [TTL=14400]

I added this in the domain's named record

domain..org. IN TXT "v=spf1 a mx a:mittens.dynalias.org"

Is this correct?

 

[RickG]

domain.org. IN TXT "v=spf1 a mx ip4:xxx.xxx.65.54 -all"

If you really want to support the SPF concept (and not just "say" you have an SPF record), you should use -all (vs ~all) in your SPF record. If the receiving mail server is doing any type of SPF check, -all indicates that unless the mail originates from the source(s) specified in the SPF record, it is not legitimate mail from your domain. What happens to that mail on the receiving end based on those results is determined by the admin, the same way you can make similar decisions when mail arrives into your server.

Using ~all produces a neutral response which IMHO is of little use if you are serious about cutting down on spam.

 

[d33pa]

domain.org. IN TXT "v=spf1 a mx ip4:xxx.xxx.65.54 -all"

If you really want to support the SPF concept (and not just "say" you have an SPF record), you should use -all (vs ~all) in your SPF record. If the receiving mail server is doing any type of SPF check, -all indicates that unless the mail originates from the source(s) specified in the SPF record, it is not legitimate mail from your domain. What happens to that mail on the receiving end based on those results is determined by the admin, the same way you can make similar decisions when mail arrives into your server.

Using ~all produces a neutral response which IMHO is of little use if you are serious about cutting down on spam.

please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.

 

[sierrablue]

Checked the SPF using the tool at:

domain..org. IN TXT "v=spf1 a mx a:mittens.dynalias.org"

Is this correct?

Try domain..org. IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx -all" where xxx.xxx.xxx.xxx is IP of your host and NOT your domain IP

 

[sierrablue]

please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.

~all gives softfail, -all gives fail.

Hotmail for example, will forward your mail to recipient junk folder if you have softfail terminator (~all), even if your mail passes the SPF check.

 

[freedog96150]

I found that by including the "include:ISP.NAME" directive in the SPF record that many of my problems disappeared with respect to the soft fails. For me that exact line is "include:verizon.net", but then I use my ISP's SMTP server for all outgoing mail and not my domain's SMTP server. You mileage may vary.

 

[SageBrian]

~all gives softfail, -all gives fail.

Hotmail for example, will forward your mail to recipient junk folder if you have softfail terminator (~all), even if your mail passes the SPF check.

To me, this is the weakness in the SPF feature.
It's great if you are mailing from one place all the time.
But what of the road warriors?

To say that email from domain.com is valid 'only' from domain.com or ISP.net will cause issues when sending from any other location.

I know a few servers that tried to filter based on SPF fail, and then realized how much legitimate mail was getting blocked.

-all is only good if you are sure you will never, ever send mail from another ISP provider. Remember that some ISPs block port 25.

SPF is a good scoring tool. If it passes, good. If it soft-fails, more should be done to determine if it's spam.

 

[Sam Hobbs]

please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.

I am not an expert; until a couple of days ago, I knew virtually nothing about SPF records. I did however look at the openspf.org web site and I subscribed to one of their mailing lists.

It is still quite confusing to me, but the experts did say that I should use -all.

 

[SoftDux]

how would one include this in the zone templates, so that all new domains automatically get the SPF records?


Running the SPF Setup Wizzard on http://old.openspf.org/wizard.html, gave me the following:

"v=spf1 a mx ptr ~all"

Is this all I need?

 

[bmcpanel]

I am not an expert; until a couple of days ago, I knew virtually nothing about SPF records. I did however look at the openspf.org web site and I subscribed to one of their mailing lists.

It is still quite confusing to me, but the experts did say that I should use -all.

I believe the technology is not in wide-spread use yet, and part of the reason is that documentation on the issue seems to vary, making it more confusing than it ought to be.

I am waiting for Cpanel to include this in their software so we don't have to add these manually. It seems like a logical thing for a control panel software to do.