Assistance with SPF Records for BIND
Noel Butler
noel.butler at ausics.net
Sun Feb 19 04:03:21 UTC 2012
On Sat, 2012-02-18 at 11:51 -0500, Jonathan Vomacka wrote:
> BIND Community Support,
>
> I am inquiring about how to setup a proper SPF record? I know there are
> SPF wizards/generators available but each seem to have a different
> "opinion" of what should be included and what should not be included.
>
> Let me give you a scenario of my setup, and hopefully someone can help
> me out.
>
> My domain is: test.com
> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
> record
> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
> to mail.host.com
>
> This is a STANDALONE mail server without any VIP's or load balancing.
> There is however one additional host that will send out mail from the
> domain but it wont be receiving mail, it will only be used as an SMTP
> server attached to a website automailer... It only generates error
> reports and sends them out... so technically it isn't a full mail server
> but it will be sending (outbound only) mail on behalf of the domain.
>
> The additional host is: mail2.test.com which resolves to 50.2.2.2 and
> there is a Matching PTR.
>
> These are the ONLY mail servers and IP addresses that will be sending
> out mail from the test.com domain. Some websites say I should use -all
> and others say -all will cause some MTA's to reject and ~all is better
> to use even if those are the only two hosts sending out mail.
>
> Would you be able to assist with a solid SPF record?
SPF "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all"
TXT "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all" <-- This is to
support antiquated resolvers who dont understand SPF record
-all will reject if the mail is not from one of the above, this is
entire purpose of SPF, to stop dead impersonators.
~all is a softfail, intended for the initial testing phase, so you can
use ~all if you are widening your scope, but if only those two above
IP's will send mail for your domain, just use -all and make sure all of
your users configured smtp auth to send by either of those two machines.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120219/be31ac84/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120219/be31ac84/attachment.bin>
More information about the bind-users
mailing list