SPF Examples

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF Examples

Indunil Jayasooriya
Hi,

First of all, This is NOT an OpenBSD question.

But OpenBSD always is based on correctness. So I need a correct answer for
this that's why I came to your mailing list.

I think THIS is the right place to ask this since you guys are Network
gurus.

Pls DO NOT  discard this mail because this is very  USEFUL.


Let's go in to below examples and pls answer my questions.


example.com.  IN    TXT  "v=spf1 a:host1.example.com -all"

the above says only server that is allowed to send mail using the
example.com domain. that is host1.example.com


How can I add Multiple hosts to send using the example.com domain. ( let's
say host1.example.com , host2.example.com and host3.example.com )


is the below record OK?

example.com.  IN    TXT  "v=spf1 a:host1.example.com a:host2.example.com a:
host3.example.com -all"


or what about this?

if host1.example.com =1.2.3.4 , host2.example.com = 1.2.3.5 and
host3.example.com = 1.2.3.6

example.com.  IN    TXT  "v=spf1 ipv4:1.2.3.4 ipv4:1.2.3.5 ipvr:1.2.3.6
-all"

is the ABOVE line is OK ?



and also

can you explain these as well.


example.com.    IN    TXT    "v=spf1 mx -all"

the above says that Allow domain's MXes to send mail using the example.com
domain, prohibit all others.


what does the below record mean?

example.com.    IN    TXT    "v=spf1 mx a -all"


Does it say Allow domain's MXes and domain's A records  to send mails using
example.com domain, prohibit all others.


Waiting your INPUTS.


--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Reply | Threaded
Open this post in threaded view
|

Re: SPF Examples

Edgar Pettijohn III-2
On 16-05-30 08:47:20, Indunil Jayasooriya wrote:

> Hi,
>
> First of all, This is NOT an OpenBSD question.
>
> But OpenBSD always is based on correctness. So I need a correct answer for
> this that's why I came to your mailing list.
>
> I think THIS is the right place to ask this since you guys are Network
> gurus.
>
> Pls DO NOT  discard this mail because this is very  USEFUL.
>
>
> Let's go in to below examples and pls answer my questions.
>
>
> example.com.  IN    TXT  "v=spf1 a:host1.example.com -all"
>
> the above says only server that is allowed to send mail using the
> example.com domain. that is host1.example.com

As long as host1.example.com has an a record.

>
>
> How can I add Multiple hosts to send using the example.com domain. ( let's
> say host1.example.com , host2.example.com and host3.example.com )
>
>
> is the below record OK?
>
> example.com.  IN    TXT  "v=spf1 a:host1.example.com a:host2.example.com a:
> host3.example.com -all"
>
>

As long as the a records exist.
 

> or what about this?
>
> if host1.example.com =1.2.3.4 , host2.example.com = 1.2.3.5 and
> host3.example.com = 1.2.3.6
>
> example.com.  IN    TXT  "v=spf1 ipv4:1.2.3.4 ipv4:1.2.3.5 ipvr:1.2.3.6
> -all"
>
> is the ABOVE line is OK ?
>
yes as long as the ip address's are correct.
 

>
>
> and also
>
> can you explain these as well.
>
>
> example.com.    IN    TXT    "v=spf1 mx -all"
>
> the above says that Allow domain's MXes to send mail using the example.com
> domain, prohibit all others.
>
>
All mx entries for example.com are allowed.

 
> what does the below record mean?
>
> example.com.    IN    TXT    "v=spf1 mx a -all"
>
>
> Does it say Allow domain's MXes and domain's A records  to send mails using
> example.com domain, prohibit all others.
>
yes

I would recommend RFC 7208 these are all easily answered in Appendix A.
 

>
> Waiting your INPUTS.
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
> Fonts

Reply | Threaded
Open this post in threaded view
|

Re: SPF Examples

Craig Skinner-3
In reply to this post by Indunil Jayasooriya
Hi Indunil,

On 2016-05-30 Mon 08:47 AM |, Indunil Jayasooriya wrote:
>
> Waiting your INPUTS.
>

There is an SPF help mailing list, see http://www.OpenSPF.Org/Forums

Most of your questions can be answered from http://www.OpenSPF.Org/
*) FAQ
*) Best Practices
*) Record Syntax
*) testing tools

See also: http://www.zytrax.com/books/dns/ch9/spf.html?pf=yes






*NOTE*: When a domain publishes an SPF FAIL policy,
SPF breaks plain message forwarding.
(MX backup, MTA forwarding, ~/.forward, procmail/sieve forwarding).

https://en.wikipedia.org/wiki/Sender_Policy_Framework#FAIL_and_forwarding

http://www.openspf.org/Best_Practices/Checking_at_border_MTAs
'... only the initial ("border") MTA can check SPF status of a message.
Otherwise the internal MTA would see the incoming connection coming from
the border MTA.'


http://wiki.junkemailfilter.com/index.php/Email_Server_Setup_Tips#SPF_Records
http://david.woodhou.se/why-not-spf.html

http://wiki.junkemailfilter.com/index.php/Bounced_Email#SPF_is_hopelessly_broken_and_needs_to_die.21
http://wiki.junkemailfilter.com/index.php/SPF_-_Sender_Policy_Framework_-_is_broken_and_must_Die


http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=3
Bob Beck:
"What's my conclusion? SPF and caller ID does 2 things,
which I would do if I were writing spam software:
  1. Encourages spammers to publish SPF records (and they have).
     The biggest SPF adopters I see are spammers.
  2. Encourages spammers not to spam from SPF-publishing addresses.

(And don't forget, this is what AOL and MSN *really* care about.)"


2004: http://www.theregister.co.uk/2004/09/03/email_authentication_spam/
"34% more spam is passing SPF checks than legitimate email because
spammers are actively registering their SPF records.
.... useful in curtailing spoofing and phishing attacks"


Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: SPF Examples

Indunil Jayasooriya
In reply to this post by Edgar Pettijohn III-2
> > what does the below record mean?
> >
> > example.com.    IN    TXT    "v=spf1 mx a -all"



when the above SPF record exists.

Let's look at with below Records


example.com. IN MX 10 mailgw1.example.com.
example.com. IN MX 20 mailgw2.example.com.
example.com. IN MX 30 mailgw3.example.com.

example.com. IN A 1.2.3.a
example.com. IN A 1.2.3.b

host1.example.com. IN A  1.2.3.c
host2.example.com. IN A 1.2.3.d
host3.example.com. INA 1.2.3.e


that means , ALL MXes ( mailgw1.example.com , mailgw2.example.com and
mailgw3.example.com ) are allowed to send mails using example.com domain.
in addition to that  example.com ( 1.2.3.a and 1.2.3.b ) are also allowed
to send mails using example.com domain.

BUT host1.example.com ,  host2.example.com and host3.example.com and all
other hosts in the world are prohibited to send mails using domain
example.com

Your commnets.



> I would recommend RFC 7208 these are all easily answered in Appendix A.
>
>
thanks for the above



>
> >
> > --
> > cat /etc/motd
> >
> > Thank you
> > Indunil Jayasooriya
> > http://www.theravadanet.net/
> > http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
> > Fonts
>
>


--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Reply | Threaded
Open this post in threaded view
|

Re: SPF Examples

Craig Skinner-3
On 2016-06-01 Wed 09:34 AM |, Indunil Jayasooriya wrote:
> > > what does the below record mean?
> > >
> > > example.com.    IN    TXT    "v=spf1 mx a -all"
>

http://www.OpenSPF.Org/SPF_Record_Syntax#a
All the A records for domain are tested.
If the client IP is found among them, this mechanism matches.

>
> Your commnets.
>

http://www.OpenSPF.Org/Forums
[hidden email]
For people needing help publishing their SPF record
or with setting up SPF checking.

Reply | Threaded
Open this post in threaded view
|

Re: SPF Examples

Alex
On 06/01/2016 07:52 AM, Craig Skinner wrote:
> On 2016-06-01 Wed 09:34 AM |, Indunil Jayasooriya wrote:
>>>> what does the below record mean?
>>>>
>>>> example.com.    IN    TXT    "v=spf1 mx a -all"
>>
>
> http://www.OpenSPF.Org/SPF_Record_Syntax#a
> All the A records for domain are tested.
> If the client IP is found among them, this mechanism matches.

Do not trust this documentation, it is misleading and incomplete. The
"a" mechanism should also match AAAA records, see
https://tools.ietf.org/html/rfc7208#section-5.3

Regards,
Alex.

>>
>> Your commnets.
>>
>
> http://www.OpenSPF.Org/Forums
> [hidden email]
> For people needing help publishing their SPF record
> or with setting up SPF checking.