Assistance with SPF Records for BIND

Noel Butler noel.butler at ausics.net
Sun Feb 19 04:03:21 UTC 2012 

On Sat, 2012-02-18 at 11:51 -0500, Jonathan Vomacka wrote:

> BIND Community Support,
> 
> I am inquiring about how to setup a proper SPF record? I know there are 
> SPF wizards/generators available but each seem to have a different 
> "opinion" of what should be included and what should not be included.
> 
> Let me give you a scenario of my setup, and hopefully someone can help 
> me out.
> 
> My domain is: test.com
> My mailserver hostname is: mail.host.com which also has a MATCHING PTR 
> record
> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves 
> to mail.host.com
> 
> This is a STANDALONE mail server without any VIP's or load balancing. 
> There is however one additional host that will send out mail from the 
> domain but it wont be receiving mail, it will only be used as an SMTP 
> server attached to a website automailer... It only generates error 
> reports and sends them out... so technically it isn't a full mail server 
> but it will be sending (outbound only) mail on behalf of the domain.
> 
> The additional host is: mail2.test.com which resolves to 50.2.2.2 and 
> there is a Matching PTR.
> 
> These are the ONLY mail servers and IP addresses that will be sending 
> out mail from the test.com domain. Some websites say I should use -all 
> and others say -all will cause some MTA's to reject and ~all is better 
> to use even if those are the only two hosts sending out mail.
> 
> Would you be able to assist with a solid SPF record?



SPF    "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all"
TXT     "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all"     <-- This is to
support antiquated resolvers who dont understand  SPF  record


-all will reject if the mail is not from one of the above, this is
entire purpose of SPF, to stop dead impersonators.
~all is a softfail, intended for the initial testing phase, so you can
use ~all if you are widening your scope, but if only those two above
IP's will send mail for your domain, just use -all  and make sure all of
your users configured smtp auth to send by either of those two machines.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120219/be31ac84/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120219/be31ac84/attachment.bin>

More information about the bind-users mailing list