SPF records

walesrob · 18 Feb 2007, 10:16 PM

I'm trying to set up an SPF record for my domain. Now this is very new to me, I just want to make sure I'm doing things properly.

First off, the domain is registered by Heart Internet in UK. The MX records are with Fastmail, all the other settings are at Heart default. Now I only send email thru' either Fastmail web interface or via email client at home using only FM's secure smtp. I do not intend on using even my ISP's smtp (never have, never need to).

Where I'm confused, do I input FM's servers AND Heart Internet servers in the spf record? My thought is to not use Heart servers as I don't send email from there, only as a back up to recieve mail if FM goes bad (i.e. I use the supplied mail forwarder at Heart only)

I used the online spf creator at opensf, and this is what I came up with:

v=spf1 mx ~all

This according to opensf will allow all 3 MX servers (2 FM's and 1 Heart Internet).

Thanks in advance!

**Sherry** · 19 Feb 2007, 01:36 AM

[Moderator:]

I have moved your thread from The Technical Zone to the "Fastmail.FM Help and Current Issues" forum.

walesrob · 19 Feb 2007, 02:30 AM

Quote:

Originally posted by Sherry
[Moderator:]

I have moved your thread from The Technical Zone to the "Fastmail.FM Help and Current Issues" forum.

Ok thanks..

Follow up...I think the spf I created is wrong as out1,2,3 and 4 are not being reconized as valid. So heres what I did:

v=spf1 ip4:66.111.4.28, ip4:66.111.4.25, ip4:66.111.4.26, ip4:66.111.4.27 mx -all

Rob M, does this look right to you?

DrStrabismus · 19 Feb 2007, 04:40 AM

As I've said before, even if Fastmail don't want to use SPF, they should still create an SPF record on a domain that isn't used for email, so people can include it.

walesrob · 19 Feb 2007, 04:47 AM

Quote:

Originally posted by DrStrabismus
As I've said before, even if Fastmail don't want to use SPF, they should still create an SPF record on a domain that isn't used for email, so people can include it.

Ok, I've done some more research on this forum, and there is general agreement that SPF is not really the ideal way to solve the problem of forged emails on a domain, but you are correct about creating an SPF record for a domain that isn't used for email.

Of course, I like to mess with things, and I went ahead anyway and tried the v=spf1 ip4:66.111.4.28, ip4:66.111.4.25, ip4:66.111.4.26, ip4:66.111.4.27 mx -all combination, but this only confused gmail and tuffmail who both returned unknown format in the SPF in the headers?

placebo · 19 Feb 2007, 05:16 AM

Try removing the commas.

Scott Kitterman · 19 Feb 2007, 10:05 AM

Yes. Definitely remove the commas.

Additionally, while SPF is certainly not ideal, I don't think there is a better alternative available now.

walesrob · 19 Feb 2007, 05:31 PM

Quote:

Originally posted by Scott Kitterman
Yes. Definitely remove the commas.

Additionally, while SPF is certainly not ideal, I don't think there is a better alternative available now.

Thanks, thats done the trick.

robmueller · 20 Feb 2007, 08:12 AM

SPF supports an "include" option. I've created a ticket for Bron to add spf.messagingengine.com so people can "include" that in case we change in the future. It should be an easy change, so I'll bump him again to do that.

Rob

BinaryTB · 2 Mar 2007, 02:38 AM

Quote:

Originally Posted by robmueller

SPF supports an "include" option. I've created a ticket for Bron to add spf.messagingengine.com so people can "include" that in case we change in the future. It should be an easy change, so I'll bump him again to do that.

Any updates on this?

robmueller · 2 Mar 2007, 01:42 PM

Ok, i nagged Bron enough and it's done now.

$ dig +short txt spf.messagingengine.com
"v=spf1 ip4:66.111.4.0/24 -all"

$ dig +short a spf.messagingengine.com
66.11.4.27
66.11.4.25
66.11.4.28
66.11.4.29
66.11.4.26

So you can use it one of two ways.

1. Add an include SPF record for your domain from spf.messagingengine.com

"v=spf1 include:spf.messagingengine.com -all"

2. Add an a SPF record for your domain to spf.messagingengine.com

"v=spf1 a:spf.messagingengine.com -all"

I haven't actually tested these yet, and they're obviously not being applied to any of our domains directly, these are for users to add to their domains if they control the DNS for their own domains.

At some stage, we may add an "SPF?" column to the Virtual Domains screen, or more likely a DNS management screen for domains that would add this as an option.

Rob

BinaryTB · 3 Mar 2007, 04:52 PM

2 comments...

1) What about ip 66.139.75.100?
2) You've added a "-all" in the TXT record. That's a bit strict, but more to the point, an include record shouldn't add any type of "all" suffix, that's up to the domain owner who will be using the include record. I know I can't use the record since I don't exclusively use FM's smtp servers.

So maybe something like this instead?
"v=spf1 ip4:66.111.4.0/24 ip4:66.139.75.100"

That way my domain can have a txt record like:
"v=spf1 include:spf.messagingengine.com include:customer-spf.mxes.net include:gmail.com ~all"

...including Fastmail, Tuffmail, & Gmail and still keeping it slightly open in case one of my family members decides to use the ISP smtp server.

robmueller · 5 Mar 2007, 06:49 AM

Re: 1) What about ip 66.139.75.100?

I'll add it in shortly.

Re: 2) You've added a "-all" in the TXT record. That's a bit strict, but more to the point, an include record shouldn't add any type of "all" suffix, that's up to the domain owner who will be using the include record. I know I can't use the record since I don't exclusively use FM's smtp servers.

This is fine. From the docs...

http://www.openspf.org/SPF_Record_Syntax#include

Quote:

In hindsight, the name "include" was poorly chosen. Only the evaluated result of the referenced SPF record is used, rather than acting as if the referenced SPF record was literally included in the first. For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall Fail. (Better names for this mechanism would have been "if-pass", "on-pass", etc.)

Rob

BinaryTB · 5 Mar 2007, 08:36 AM

Quote:

Originally Posted by robmueller

http://www.openspf.org/SPF_Record_Syntax#include

Didn't realize that, thanks for the info. I guess "redirect:" is the more dangerous one then, better just to use "include:".

Also, I did a quick TXT lookup on spf.messagingengine.com, it looks like the record has some invalid characters. Copy paste from DNS Stuff:

Code:

Searching for spf.messagingengine.com TXT record at ns1.messagingengine.com. [66.111.4.2]: Reports "v=spf1 ip4:66.111.4.0/24 ip4:" "6.139.75.100 -allÀ" [took 7 ms]

Response:

Invalid DNS packet: DNS packet out-of-bounds

robmueller · 6 Mar 2007, 07:59 AM

My fault, I buggered up the record. Should be fixed now.

$ dig +short @ns1.messagingengine.com spf.messagingengine.com txt
"v=spf1 ip4:66.111.4.0/24 ip4:66.139.75.100 -all"

Rob

18 Feb 2007, 10:16 PM	#1
walesrob Essential Contributor Join Date: Dec 2006 Location: UK Posts: 392	SPF records I'm trying to set up an SPF record for my domain. Now this is very new to me, I just want to make sure I'm doing things properly. First off, the domain is registered by Heart Internet in UK. The MX records are with Fastmail, all the other settings are at Heart default. Now I only send email thru' either Fastmail web interface or via email client at home using only FM's secure smtp. I do not intend on using even my ISP's smtp (never have, never need to). Where I'm confused, do I input FM's servers AND Heart Internet servers in the spf record? My thought is to not use Heart servers as I don't send email from there, only as a back up to recieve mail if FM goes bad (i.e. I use the supplied mail forwarder at Heart only) I used the online spf creator at opensf, and this is what I came up with: v=spf1 mx ~all This according to opensf will allow all 3 MX servers (2 FM's and 1 Heart Internet). Thanks in advance!

19 Feb 2007, 01:36 AM	#2
Sherry Moderator Join Date: Dec 2002 Location: USA Posts: 8,687	[Moderator:] I have moved your thread from The Technical Zone to the "Fastmail.FM Help and Current Issues" forum.

19 Feb 2007, 04:40 AM	#4
DrStrabismus The "e" in e-mail Join Date: May 2002 Posts: 2,804	As I've said before, even if Fastmail don't want to use SPF, they should still create an SPF record on a domain that isn't used for email, so people can include it.

19 Feb 2007, 05:16 AM	#6
placebo Cornerstone of the Community Join Date: Jun 2004 Posts: 743	Try removing the commas.

19 Feb 2007, 10:05 AM	#7
Scott Kitterman Essential Contributor Join Date: Sep 2006 Location: Ellicott City, MD, USA Posts: 206 Representative of: ControlledMail.com	Yes. Definitely remove the commas. Additionally, while SPF is certainly not ideal, I don't think there is a better alternative available now.

20 Feb 2007, 08:12 AM	#9
robmueller Intergalactic Postmaster Join Date: Oct 2001 Location: Melbourne, Australia Posts: 6,102 Representative of: Fastmail.FM	SPF supports an "include" option. I've created a ticket for Bron to add spf.messagingengine.com so people can "include" that in case we change in the future. It should be an easy change, so I'll bump him again to do that. Rob

2 Mar 2007, 01:42 PM	#11
robmueller Intergalactic Postmaster Join Date: Oct 2001 Location: Melbourne, Australia Posts: 6,102 Representative of: Fastmail.FM	Ok, i nagged Bron enough and it's done now. $ dig +short txt spf.messagingengine.com "v=spf1 ip4:66.111.4.0/24 -all" $ dig +short a spf.messagingengine.com 66.11.4.27 66.11.4.25 66.11.4.28 66.11.4.29 66.11.4.26 So you can use it one of two ways. 1. Add an include SPF record for your domain from spf.messagingengine.com "v=spf1 include:spf.messagingengine.com -all" 2. Add an a SPF record for your domain to spf.messagingengine.com "v=spf1 a:spf.messagingengine.com -all" I haven't actually tested these yet, and they're obviously not being applied to any of our domains directly, these are for users to add to their domains if they control the DNS for their own domains. At some stage, we may add an "SPF?" column to the Virtual Domains screen, or more likely a DNS management screen for domains that would add this as an option. Rob

3 Mar 2007, 04:52 PM	#12
BinaryTB Essential Contributor Join Date: Mar 2003 Location: Boston, MA Posts: 271	2 comments... 1) What about ip 66.139.75.100? 2) You've added a "-all" in the TXT record. That's a bit strict, but more to the point, an include record shouldn't add any type of "all" suffix, that's up to the domain owner who will be using the include record. I know I can't use the record since I don't exclusively use FM's smtp servers. So maybe something like this instead? "v=spf1 ip4:66.111.4.0/24 ip4:66.139.75.100" That way my domain can have a txt record like: "v=spf1 include:spf.messagingengine.com include:customer-spf.mxes.net include:gmail.com ~all" ...including Fastmail, Tuffmail, & Gmail and still keeping it slightly open in case one of my family members decides to use the ISP smtp server.

6 Mar 2007, 07:59 AM	#15
robmueller Intergalactic Postmaster Join Date: Oct 2001 Location: Melbourne, Australia Posts: 6,102 Representative of: Fastmail.FM	My fault, I buggered up the record. Should be fixed now. $ dig +short @ns1.messagingengine.com spf.messagingengine.com txt "v=spf1 ip4:66.111.4.0/24 ip4:66.139.75.100 -all" Rob