Assistance with SPF Records for BIND

Sten Carlsen stenc at s-carlsen.dk
Sat Feb 18 20:05:35 UTC 2012 

Well, there are two parts of this:

1 - make a decision which servers are allowed to send mail on your
behalf - this is entirely up to you. This is expressed in terms of
server names, IP addresses etc.
You may decide that ONLY <these> servers may send mail or that other
servers are allowed to also send mail. One example is a portable
computer, may that use a local server to send mail or should that be
considered bogus?

2 - express these decisions in an spf statement - this is where the RFC
comes into play, explaining how to interpret the statements.


You need to make decision #1 yourself.

On 18/02/12 18:34, Jonathan Vomacka wrote:
> If someone uses a mobile device to send e-mail? Would ~all be better?
> I also generated the following SPF using a wizard. Let me know if this
> looks correct:
>
> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com
> a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
>
> I wouldn't need an "include:" or "ptr" statement in this right? I
> would told "include:" was to include OTHER domains that are allowed to
> send e-mail, but then again I see some people writing the domain again
> as an include. Also is PTR good to use or not?
>
> Sten,
> I read over the link but am still a bit confused.
>
> On 2/18/2012 11:55 AM, Sten Carlsen wrote:
>> Hi
>>
>> I suggest to use the wizards or look in the RFC:
>> http://www.ietf.org/rfc/rfc4408.txt
>>
>>
>>
>> On 18/02/12 17:51, Jonathan Vomacka wrote:
>>> BIND Community Support,
>>>
>>> I am inquiring about how to setup a proper SPF record? I know there
>>> are SPF wizards/generators available but each seem to have a different
>>> "opinion" of what should be included and what should not be included.
>>>
>>> Let me give you a scenario of my setup, and hopefully someone can help
>>> me out.
>>>
>>> My domain is: test.com
>>> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
>>> record
>>> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
>>> to mail.host.com
>>>
>>> This is a STANDALONE mail server without any VIP's or load balancing.
>>> There is however one additional host that will send out mail from the
>>> domain but it wont be receiving mail, it will only be used as an SMTP
>>> server attached to a website automailer... It only generates error
>>> reports and sends them out... so technically it isn't a full mail
>>> server but it will be sending (outbound only) mail on behalf of the
>>> domain.
>>>
>>> The additional host is: mail2.test.com which resolves to 50.2.2.2 and
>>> there is a Matching PTR.
>>>
>>> These are the ONLY mail servers and IP addresses that will be sending
>>> out mail from the test.com domain. Some websites say I should use -all
>>> and others say -all will cause some MTA's to reject and ~all is better
>>> to use even if those are the only two hosts sending out mail.
>>>
>>> Would you be able to assist with a solid SPF record?
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> No improvements come from shouting:
>>         "MALE BOVINE MANURE!!!"
>>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
       "MALE BOVINE MANURE!!!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120218/9b9a8c53/attachment.html>

More information about the bind-users mailing list