SPF Record?

Similar Messages

• Should I use an SPF Record?

  Our site allows people to send a request to various subscribers by email. The emails are sent with the FROM being the requesters email address so that our subscribers can reply to them directly.
  In the last week we have received a lot of bounced emails from accounts that don't exist on our server. I think setting up an SPF record could help in this regard.
  However, given the way our service works, does it make sense to set up an SPF record?
  Any thoughts would be appreciated.
  Thanks.

  Adding an SPF record would help in regards to people using your domain name as the source of spam messages. It wouldn't have any effect on emails you send out under other people's name, though.
  If your server sends out a message from [email protected] your SPF record doesn't come into play at all, but under those circumstances you wouldn't get the bounce message anyway - it would go to [email protected] However, your IP address may get flagged as sending bogus email.
  In any case I'd add a SPF record. It's not hard to do, and it helps insulate your domain from problems. There's no downside to having it unless users in your domain regularly send mail from other mail servers (which they shouldn't be doing anyway).

• Leopard DNS Server: Zones with SPF records?

  Hi all,
  I'm trying to figure out how to setup SPF (Sender Policy Framework) records for some domains I'm currently managing with a Leopard DNS server and I don't see any documentation anywhere. Can someone please tell me if it's even an option? I'm new to running DNS with Leopard, so I could use all the help I can get.
  Sincerely,
  Israel
  Message was edited by: Israel Thompson
  Message was edited by: Israel Thompson

  Israel Thompson wrote:
  So let me see if I have this right. Any changes I want to make that will not be editable in the GUI, I want to do them in db.mydomain.com instead of db.mydomain.com.zone.apple? Easy enough. However I tried adding "v=spf1 a mx ~all" (with quotes) to my file and it appeared to have broken the dns zone. What’s the proper way to enter these in manually? Can you give me an example of how it looks in your zone files? I’ve pasted a sample of mine below. Tell me if anything is wrong.
  Israel,
  I am new to Leopard Server - so I'm no DNS guru. I, too, have not used a DNS setup tool that requires a FQDN just associate an IP with the base of the domain (mydomain.com.). How did you get your 'mydomain.com. IN A 11.22.33.44' accomplished? Did you create a new A record and put mydomain.com. in the Machine Name field?
  Here's my setup:
  ========================
  db.mydomain.com
  ========================
  ;THE FOLLOWING INCLUDE WAS ADDED BY SERVER ADMIN. PLEASE DO NOT REMOVE.
  $INCLUDE /var/named/zones/db.mydomain.com.zone.apple
  ========================
  db.mydomain.com.zone.apple
  ========================
  $TTL 10800
  mydomain.com. IN SOA ns1.mydomain.com. admin.mydomain.com. (
  2008010951 ;Serial
  7200 ;Refresh
  3600 ;Retry
  604800 ;Expire
  345600 ;Negative caching TTL
  mydomain.com. IN NS ns1.mydomain.com.
  mydomain.com. IN NS ns.mydomain.com.
  mydomain.com. IN A 64.251.168.218
  mydomain.com. IN TXT "v=spf1 ip:64.251.168.218 ip:64.251.168.220 ~all"
  www IN A 64.251.168.218
  mail.mydomain.com. IN A 64.251.168.220
  mail.mydomain.com. IN TXT "v=spf1 a ~all"
  xserve.mydomain.com. IN A 64.251.168.218
  xserve.mydomain.com. IN TXT "v=spf1 a ~all"
  ns IN A 64.251.168.218
  ns1 IN A 64.251.168.220
  mydomain.com. IN MX 10 mail.mydomain.com.
  ... where xserve.mydomain.com is my machine's hostname.
  I have a funky setup for DNS because I don't have a different, or second, DNS server (just the one on my Xserve with everything else) and my name servers are under this zone. I added the two IPs for my mail and hostname to the base SPF record. Someone could still spoof from using the name or www domains (same IPs) but I can check for it using Postfix up front. I also added "v=spf1 a ~all" in case another mail server tries to check the mailing server or hostname directly.
  You'll usually want to set a TXT "v=spf1 ~all" (SPF null) for any records that have no possibility for mail origins, like your ftp and mobile, but it appears you also have a similar issue to me - those services will be running under the same IPs as the mail service. This is why I added "v=spf1 a ~all" to all essential services (mail and hostname). I don't know what will happen if you add an SPF null to an unnecessary service that happens to also have the same IP. (Will the IP get blocked in a cache during a lookup??) So I didn't add an SPF TXT to those domains. I'm a little confused at this point. I should probably read more about it.
  http://www.openspf.org/FAQ/Common_mistakes
  Also, you'll notice I added FQDN to mail and xserve. If I do this and ensure they are in my reverse DNS PTR records then I've seen that when I add new zone records with same IPs (like for another domain) then the PTR records don't keep switching to the newest entry (why does it do that?).
  I don't think your use of the . in the CNAME records is correct. I think the CNAME records are probably unnecessary since you have already fully defined the domains in A records. Also, those A records probably don't need FQDNs (with the ending .). I only added mine for the reason noted above, concerning the PTR records.
  I hope someone who knows some more than I can chime in on this.
  Larry
  Message was edited by: Larry_S (removed mx from SPF TXT for main domain record, as it was redundant with the ip:)

• Virtual mail hosts: 255 character limit on SPF records

  This one was a surprise to me, and caused a lot of headache, so I thought I'd pass it along.
  I'm running multiple virtual mail hosts off of my doughty PowerMac single G5 1.8GHz running OS X Server 10.4.11. Some of the outgoing mail was being bounced as spam because a) there wasn't an SPF record on any of the domains and b) the domain of the mailserver didn't always match the domain of the sender. (Most often, it went out under the hostname of the server, cerberus.limbo.jcf.org—which is useless, since that's a LAN address.)
  Trying to be a good citizen (and make sure that all of everyone's mail got through), I added SPF records that explicitly named each and every mailserver on the machine, just so that everything was clear and aboveboard—but they ended up being about 500 characters long.
  Fastforward a week or two... and I was having problems with my DNS zones loading—I'd get errors that they'd timed out. After pulling my hair out for a while, I discovered that TXT records have a limit of 255 characters (including spaces, etc.) Some folks running servers on non-OS X Server machines have split the records over multiple TXT records (does that even work?), but you get exactly one TXT record per OS X Server machine: the Comment box.
  I've now simplified the SPF records so that they read something like this:
  +v=spf1 a mx mx:cerberus.limbo.jcf.org mx:cerberus.jcf.org mx:jcf.org ip:173.164.140.96/30 ip:207.58.140.213/30 include:comcast.businessclass.net include:comcast.com -all+
  To translate:
  • +v=spf1 a mx+ It authorizes deliveries from any IP listed in the DNS zone, and from any mailserver defined in the zone
  • +mx:cerberus.limbo.jcf.org mx:cerberus.jcf.org mx:jcf.org+ It also explicitly authorizes deliveries from the server's main LAN and internet DNS names as well as the domain of the foundation for which I work (and through which emails are occasionally relayed)
  • +ip:173.164.140.96/30 ip:207.58.140.213/30+ Next it authorizes the public static IP blocks for the server and the foundation's remote server
  • +include:comcast.businessclass.net include:comcast.com+ Finally it includes the domain names of the ISP through which most of the mail are relayed
  • -all The last item says that if the mail didn't originate from one of those addresses, it isn't ours.
  (I think that I've got that right. If I've botched it anywhere, let me know, okay?)
  That's 169 characters. The DNS zones loaded happily, and the mail seems to be going out without getting bounced. So far so good!
  (There's probably a way to get the hostname on each email to match the domain from which it is being addressed, but I haven't gotten there yet.)
  Message was edited by: David Kudler

  Most often, it went out under the hostname of the server, cerberus.limbo.jcf.org—which is useless, since that's a LAN address.
  You can control this via the myhostname setting in Postfix. This defines the name it uses to identify itself to remote mail servers, which sounds like it'll address a lot of your issues.
  I added SPF records that explicitly named each and every mailserver on the machine, just so that everything was clear and aboveboard—but they ended up being about 500 characters long.
  OK, this doesn't make sense. You don't need to list every virtual hostname for every domain.
  All you need to do is add this specific mail server's address in each domain.
  There's no requirement that the hostname of the mail server matches the domain name, so it's entirely valid to create an SPF record in domain1.com that lists mailserver.someotherdomain.com as authoritative. Then, as long as postfix's myhostname says it's mailserver.someotherdomain.com and your reverse DNS resolves to that address your problem is solved.
  ...but you get exactly one TXT record per OS X Server machine: the Comment box.
  Unless you edit your zone file directly and add whatever other records you like. However, given the above, I don't think the 255-character limit should be an issue.
  Even if you didn't want to mess with your zone files directly there's still a way around that - SPF allows for an 'include' record which basically tells remote servers to include the record from some other domain, so for each domain you could just tell it to include some other domain's record (which, in turn, could include another domain) allowing virtually unlimited record length (or, at least, 255 characters per domain you manage).
  SPF Includes are covered here.
  • include:comcast.businessclass.net include:comcast.com Finally it includes the domain names of the ISP through which most of the mail are relayed
  Bzzzz. You've now allowed any other customer of comcastbusiness.net and comcast.com to send mail on your behalf. You probably don't want to do that. When you consider that 'comcast.com' includes every one of their residential customers you can see that you really don't want to do that.

• Creating SPF records

  Having run a few tests on our Server, on of the errors that has come up is that we don't have any SPF records.
  Doing a search sends me to the following site, but it always comes up with the error - System Maintenance in progress. Please try again later.
  microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
  Having looked at some other sites, I come up with different answers.
  Here is my example, our website is hosted by another company, but we run our own mail server.  I have used the following examples
  domain - mydomain.com
  mail server ip - 1.2.3.4
  One wizard come up with the following to add to my DNS
  mydomain.com.  IN TXT "v=spf1 ip4:1.2.3.4"
  Another wizard comes up with the following
  "v=spf1 ip4:1.2.3.4 ?all"
  Another wizard comes up with the following
  "v=spf1 ip4:1.2.3.4 -all"
  Any advice appreciated.
  Trevor

  Hi
  No ones mentioned this that I;ve seen. But the SPF settings get applied to the domain at Nameserver level, so not on the local server, but wherever is configured that
  www.mydomain.com - goes to 10.20.30.40 and remote.mydomain.com goes to 1.2.3.4 and mail.mydomain.com go to 1.2.3.4 etc
  On the name server you set up a new TXT for .mydomain.com
  the values need to have
  v=spf1 - to show this is the SPF settings
  I would then add the IP's and Domains of any PC authorised to send emails on your behalf
  i.e. +ip4:1.2.3.4 +a:mail.mydomain.com +a:remote.mydomain.com - This covers your server doing email directly from it... some SPF servers I've found look for the a record and not IP when tracing back (usually pain ones, so never hurts to add as resolves
  to same place)
  If your website hosted elsewhere has an email form on it you'll need to authorise your webserver to send on your behalf as it will most likely send from a @mydomain.com email address (your own server could class it as spam if not included)
  so +ip4:x.x.x.x(webserver IP) +a:www.mydomain.com
  As for the all bit
  -all is best - means no one else can pretend to be you. I;ve not used ?all, but due to the experience I'm about to explain it could be useful (saves having to use ~all which makes spf pointless)
  If you use -all SPF checkers will only allow emails to come from authorised senders. This leads to a problem with people they email without things set up right... had a few problems. A clients customer, had a spam checker that was offsite, that forwards
  the email on to the server. so email goes from SenderA to SpamCheckerB. SpamCheckerB scans the email and then forwards on to mailserverC
  MailserverC is also set up to check for spam including SPF..... problems is the email has been 'officially' sent from SpamcheckerB and not SenderA.... thus gets rejected by SPF
  If senderA doesn;t use SPF it all goes through fine, or if SPF set to ~all goes through fine
  Obviously this is a bad set up at the customers end, but if your client or yourself can not send to certain customers (no matter how misconfigured they are, and it being their fault) has a knock on to the business
  So please be aware of that if you use -all which is obviously best. Not sure what ?all would do in this case...
  so my setting for your SPF would be
  v=spf1 +ip4:1.2.3.4 +a:mail.mydomain.com +a:remote.mydomain.com +ip4:x.x.x.x(webserver IP) +a:www.mydomain.com -all
  Hope this helps and gives you some trouble shooting ideas in advance

• After adding SPF records for Hybrid Development some external mails bounced back with error SPF Unauthorized mail is prohibited.

  Added v=spf1 include:spf.protection.outlook.com -all and the txt token for the Exchange 2013 hybrid configuration, now some mails bounced back with the error "SPF Unauthorized mail is prohibited". What could be the cause? Should I customized
  the SPF record but it is not mentioned in the procedures for Hybrid configuration to do that. 

  Hi,
  Would you like to mark Ed's reply as an answer so that others can find the solution easily.
  Have a nice day : )
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• How do I set an SPF record?

  I'm quite unfamiliar with SPF records, but I'm using FreshBooks to invoice my clients. However, my invoices seem to be going to many people's junk and spam folders. Freshbooks is suggesting to set an SPF record to avoid this. Can this be done with icloud emails, or is this specifically for a privately owned domain email?

  If you have set up your Domain A-record on the registra to point web traffic to BC you do not set up another A-record in BC.

• Help Creating an SPF record

  Hi, 
  I would need help please in creating an SPF record.
  here's the following informations i can provide
  Our organization host an exchange server 2010 wish uses popcon to retreive the emails of each users from my mail hosting ISP provider
  the purpose of exchange is purely just for mailbox backups, and retrieval of deleted e-mails (Running ESXI5.5 and VEEAM)
  our ISP MX record is :
  mail.cciaz.org.lb (194.126.18.130)
  incomming mail server: webmail.cciaz.org.lb (194.126.18.130)
  users outside the organization uses OWA and/or outlook anywhere for some
  External owa adress: mail2.cciaz.org.lb (92.62.166.249)
  could plz someone point me in the right direction in creating an SPF record
  Original problem is:
  many users when opening their outlook, receives massive (200+) random receipts (undeliverable) from addresses they dont even know or sent to (ea: canada.com, aol.com,
  etc...)
  Thank you

  Hi,
  For your information:
  Configuring DNS, MX, and SPF Records and Settings
  http://technet.microsoft.com/en-us/library/ff714972.aspx
  Description of Sender Policy Framework (SPF) records
  http://support.microsoft.com/kb/2640313
  Here is a similar thread:
  spf records
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/9b5fef7a-1d5f-4b9d-aa9a-2aaa6b2e8e1a/spf-records
  Hope this helps.

• DNS spf record for Microsoft

  The spf record for Microsoft has a “ ~ALL “.  What does this do and how do we make use of the same for our domain names?
  NSLOOKUP Output for Microsoft.com:
  > server 4.2.2.1
  Default Server:  vnsc-pri.sys.gtei.net
  Address:  4.2.2.1
  > set type=ANY
  > microsoft.com
  Server:  vnsc-pri.sys.gtei.net
  Address:  4.2.2.1
  Non-authoritative answer:
  microsoft.com   text =
          "v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com inc
  lude:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ~all"
  microsoft.com
          primary name server = dns.cp.msft.net
          responsible mail addr = msnhst.microsoft.com
          serial  = 2007053102
          refresh = 300 (5 mins)
          retry   = 600 (10 mins)
          expire  = 2419200 (28 days)
          default TTL = 3600 (1 hour)
  microsoft.com   MX preference = 10, mail exchanger = maila.microsoft.com
  microsoft.com   MX preference = 10, mail exchanger = mailb.microsoft.com
  microsoft.com   MX preference = 10, mail exchanger = mailc.microsoft.com
  microsoft.com   internet address = 207.46.232.182
  microsoft.com   internet address = 207.46.197.32
  microsoft.com   nameserver = ns4.msft.net
  microsoft.com   nameserver = ns5.msft.net
  microsoft.com   nameserver = ns1.msft.net
  microsoft.com   nameserver = ns2.msft.net
  microsoft.com   nameserver = ns3.msft.net
  ==
  Thanks,

  Mechanisms are prefixed with qualifiers:
  "+" Pass
  "-" Fail
  "~" SoftFail
  "?" Neutral
  Mechanisms are evaluated in order and when no matche, the default will be "Neutral".
  If there is no SPF for a domain, the result is "None". If a domain has a temp error during DNS processing, you get the result "TempError" (called "error" in earlier drafts). If some kind of syntax or evaluation error occurs (eg. the domain specifies an unrecognized
  mechanism) the result is "PermError" (formerly "unknown").
  Evaluation of an SPF record can return any of these results:
  Pass -The SPF record designates the host to be allowed to send accept
  Fail -The SPF record has designated the host as NOT being allowed to send reject
  SoftFail - The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
  Neutral - The SPF record specifies explicitly that nothing can be said about validity accept
  None - The domain does not have an SPF record or the SPF record does not evaluate to a result accept
  PermError - A permanent error has occured (eg. badly formatted SPF record) unspecified
  TempError - A transient error has occured accept or reject
  Marcus @ www.wormy.com

• SPF record confusion

  I've read through a number of forum posts here and elsewhere and still find this a confusing thing to setup.  I believe it is partly because of the way terminology is being used.
  We host our own email on Exchange 2010 servers and have a number of email domains.
  domaina.com
  domainb.com
  domainc.com
  domaind.com
  The mx records for all the above domains look like: mail.domaina.com IPADDRESS (same for domain b, domain c, etc).
  We use an external email filtering service.  As a result, our MX records list the filtering service addresses as the highest priority, with our own mail host listed last: mail.ourdomain.com
  We only send mail from our own email servers.  We do not relay any of our email to another server for delivery to the internet.  We do not use the email filtering service for any outbound email.
  I only want to include the three servers of ours that deliver mail to the internet in our SPF record.
  In the past, when I have done a telnet session to test SMTP from another server inside our network to one of the outbound servers, our server might respond with a different hostname in the HELO/EHLO (one of the four different mail.domaina.com, mail.domainb.com,
  mail.domainc.com or mail.domaind.com hostnames).  For the example, I will say that mail.domaina.com is our primary mail domain which also matches the subject name on our SSL certificates.
  Using a number of different SPF record generating tools, I come up with different SPF records and reading the SPF record creation guidelines, I don't find it any more clear.
  Some of the tools even suggest that the email server names be included in the SPF record.  Here is what was suggested, more or less, by the SPF record generating tools:
  "v=spf1 mx a a:hubtransportserver1.domaina.com a:hubtransportserver2.domaina.com a:hubtransportserver3.domaina.com ip4:xxx.xxx.xxx.202/31 ~all"
  I used a CIDR calculator to convert the three public IP addresses used by our outbound email servers to generate the CIDR range.
  With the information above, can anyone offer guidance on what the proper SPF record format is?  The Microsoft SPF tool is still broken - you can't add more than one mx record domain, no matter how you enter them in the box.  It will work if you only
  enter one mx record domain.
  Any help is appreciated!

  it should have the IP addresses or the domain name of all the server which is authorized to receive the email for your domain 
  Example:
  "v=spf1 ip4:192.168.0.1/16 -all"
  example.com. IN TXT "v=spf1 include:example.net -all"
  ; AND
  example1.com. IN SPF "v=spf1 include:example1.net -all"

• Spam filter stripping SPF record

  Hello, we are using exchange online protection for spam filtering before anything gets to the on premise sonicwall spam filter. When messages do get through, the sonicwalll is marking some of them as SPF failure so they are being blocked. We never had this
  issue before on legit messages.
  Is there something in EOP that strips SPF records?
  Thanks,

  Hi,
  I think the mechanisms of Anti-Spam of EOP and SPF are different:
  SPF record is a text (TXT) record that helps prevent spoofing and phishing by verifying the domain name.
  Anti-spam feature in EOP uses Content Filtering policy. For more referernce:
  Anti-Spam Protection FAQ
  https://technet.microsoft.com/en-us/library/jj937231(v=exchg.150).aspx
  EOP features
  https://technet.microsoft.com/en-us/library/dn762130(v=exchg.150).aspx
  Thanks,
  Simon Wu
  TechNet Community Support

• Which mail servers go in SPF records?

  It is not clear to me if the mail server that initiates email being sent needs to be in the SPF record or every server the mail relays through in our domain or only the last server that is directly connected to the Internet.
  If our mail starts from our Exchange server and is relayed to a spam appliance and relayed again to a Unix mail server and finally out to the Internet, do we only put the last part of the chain in the SPF record (the Unix mail server) or do we also need
  the originating mail server (Exchange) and any other servers it relays through included in the SPF record?

  My understanding of using SPF records is that you only need to include the server(s) that ultimately delivers the mail out to the internet.  When my server receives email from you, it checks for an SPF record that specifies that your server which
  it is receiving the mail from is allowed to send the mail.

• SPF records: ~all flag

  We use a couple of different email vendors for sending external mail.  Both suggest using a: ~all flag for SPF.  Can you have multiple ~all flags in an SPF record?  Or can I only use this once at the end of the SPF record?

  Using ~all flags at the end once should suffice.  
  You can have something like:
  v=spf1 ip4:x.x.x.x/16 (CIDR) mx ptr:Sender1.domain.com ptr:Sender2.domain.com include:domain.com ~all
  As you can see there is only one ~all flags used. 
  You can validate yours by using Microsoft's Sender ID Framework SPF Record Wizard utility:
  Sender ID Framework SPF Record Wizard
  http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
  More information on Sender Policy Framework can be found via the following link:
  http://www.openspf.org/SPF_Record_Syntax
  CK

• TXT (SPF) record

  Where do I enter the SPF record? Does this go in Leopard Server somewhere or does this get entered at my Registrar, or both? I have the option of entering in the TXT record at my domains registrar if need be.
  Thanks

  It needs to be where the authoritative NS for your domain is.

• SPF record in DNS

  The BC migration instructions here http://adobebcmigration.com/instructions say to add "v=spf1 mx include:worldsecuresystems.com ~all"
  My existing SPF record as an Office 365 customer was:
  "v=spf1 include:spf.protection.outlook.com -all"
  I have changed it to:
  "v=spf1 include:spf.protection.outlook.com include:worldsecuresystems.com -all" (note without MX)
  What is the MX for in your instructions? Is it required? I don't want to break the Microsoft SPF record by adding it.
  Also, I believe the ~ (tilde) is wrong and should be a hyphen?

  I'm eager to know this too... anyone have an answer? I hope this thread doesn't get lost in the fray.