DNS entry for SPF

Commerco WebMaster Webmaster at Commerco.Net
Mon Oct 3 19:25:11 UTC 2005 

At 06:58 PM 9/30/2005, gregrjones at yahoo.com wrote:
>Can someone confirm that I have entered this DNS entry in correctly for
>a txt record for SPF?
>
>I have changed the names to fictious ones.
>
>If I have coded this correctly, I should be authorizing servers with
>hostnames of six.yada.com, 5.yada.com, ms1.ms2.yadastrett.com and a
>server with IP address of 206.111.18.65 to send mail on behalf of the
>domain:
>
>"v=spf1 a:six.yada.com a:5.yada.com a:ms1.ms2.yadastreet.com
>ip4:206.111.18.65 -all"
>
>What would have been the difference with using this record vs using an
>entry of "v=spf1 mx:six.yada.com mx:5.yada.com
>mx:ms1.ms2.yadastreet.com ip4:206.111.18.65 -all"
>
>Does MX: mean that the recipient server is to interpret each value
>(following the "mx:") as a domain name and look up their MX records or
>does it mean that each of these values must be in the MX record for the
>domain name associated with the txt record?

As has been pointed out, this is a BIND list, you probably want to 
get signed up here:
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/

To try to answer your question, IIRC, when you place mx: in your SPF 
txt record, this means that any server that has an MX record 
(incoming SMTP) for the zone in question is now also allowed to send 
mail on behalf of the publishing zone per the SPF spec.  It is 
something of a short hand to actually explicitly placing all the IP4: 
addresses in the record, but I think that using mx: will also 
generate extra lookups (as will listing the A record names).  You 
might consider publishing using a syntax that covers the /24 or CIDR 
in which the IP resides if you are comfortable with that (ex. 
192.168.222.0/24).  You might also consider simply listing your IP 
addresses in your SPF txt record to reduce the extra lookups for 
everyone, if those IP addresses tend to stay stable.  Perhaps 
explicitly publishing IP addresses might require some extra 
maintenance, but I think that it is also kinder to the DNS of all involved.

Even so, you should subscribe to the SPF list, as there are folks far 
better suited on that list to provide a more authoritative answer for you.

Best,

Alan Maitland
WebMaster at Commerco.Net
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/

More information about the bind-users mailing list