|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
19 Mar 2016, 01:34 AM | #1 |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
Best practices with SPF records - FastMail now using ?all
I just noticed that FastMail's SPF record now contains "?all" instead "~all" or "-all"....
Here's FM's default SPF record: Code:
v=spf1 include:spf.messagingengine.com ?all I imagine part of the reasoning is that people might be sending mail from a different server, but if we know that email will ONLY originate from FM's servers, then would it be advisable for us to change it to "-all"? If not, why not? Hoping one of the engineers from FM will read this and give feedback about this and related authentication issues to make sure our email is deliverable. |
19 Mar 2016, 06:09 AM | #2 | ||
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Quote:
For user domains, STANDARD_SPF has always been -all. More recently (October 2015), there's also a STANDARD_RELAXEDSPF which is ?all, and that's the one we use by default (obviously, you could configure the TXT record your to use ?all or whatever else). Quote:
-all is only reasonable when you can say with 100% certainty that legitimate email will never originate from anywhere but your own network. In my experience controlled corporate networks are the only places that even have a chance of using -all correctly. |
||
19 Mar 2016, 06:45 AM | #3 | |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
Thank you, Robn! Very much appreciated. So it does look like there was a change to relax things a bit for user domains -- the default in the new control panel is ?all when I just added a new domain.
However, if I wanted to lock things down more, assuming I'll only be sending from the FM webmail and FM mobile app (which is really the FM webmail anyway, right?), how would I do that most effectively? Would I disable the default SPF TXT record and add a new one like this? TXT domain.com STANDARD_SPF or should I do it explicitly like this: TXT domain.com v=spf1 include:spf.messagingengine.com -all or something else? Also, I noticed in one of my older domains, you guys migrated it over to the new interface like this: SPF domain.com STANDARD_SPF But the SPF option is not available anymore in the dropdown list when I add a new record. So I figure just TXT should do the trick... thoughts? Quote:
|
|
19 Mar 2016, 10:44 AM | #4 |
Member
Join Date: Feb 2016
Posts: 47
|
The TXT record should do the trick, I always feel better putting "mx and a" in the SPF which authorizes any MX or A records on your domain to send mail.
PHP Code:
|
19 Mar 2016, 02:41 PM | #5 | |||
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Quote:
Quote:
Quote:
Last edited by robn : 19 Mar 2016 at 02:47 PM. |
|||
19 Mar 2016, 02:42 PM | #6 |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
It won't hurt anything, but we will never send mail from our listed MX servers, so it won't gain you anything either.
|
19 Mar 2016, 06:30 PM | #7 |
Cornerstone of the Community
Join Date: Apr 2004
Location: Melbourne
Posts: 971
Representative of:
Fastmail.fm |
Unless you can guarantee that none of your *recipients* will ever forward mail from you (for example if you send to their Gmail address, but they actually forward all that mail to FastMail), don't use -all. Unless the forwarding system implements SRS, this SPF policy will cause mail to bounce.
Since you cannot know what your recipients will do, we do not recommend setting -all in your SPF policy, which is why the default option at FastMail is now ?all. Neil. |
21 Mar 2016, 12:51 AM | #8 |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
Thank you gentlemen! Very much appreciated! Will ponder which way to go, but I definitely appreciate the detailed responses. FM FTW.
|
21 Mar 2016, 06:33 AM | #9 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
On a semi-related note, I used my own DNS provider, and it looks like Fastmail's SPF checking in the new UI might be a bit too literal... When I go to edit my primary domain name settings, I get a message that SPF is not configured, and it recommends an SPF record of
Code:
v=spf1 include:spf.messagingengine.com ?all My actual SPF record is: Code:
v=spf1 include:spf.messagingengine.com include:_spf.google.com include:_spf.freshbooks.com -all |
21 Mar 2016, 06:49 AM | #10 | |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Quote:
I'm a little confused - hollington.ca is marked "has valid SPF" in the database. I can't see how you'd get the "SPF is not configured" warning in the UI - it's entirely based on that flag. I'll investigate further; there might be a bug somewhere. |
|
21 Mar 2016, 11:16 PM | #11 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Well, whatever you did (assuming you did anything), it now seems to be okay as of this morning. Yesterday wasn't an isolated incident, however — I had noticed the problem a couple of weeks ago, but didn't really have time to deal with it, and shrugged it off at the time since I couldn't see anything wrong with my SPF record and it otherwise checked out fine everywhere else.
I'm assuming that Fastmail doesn't really behave differently whether it detects a valid SPF record or not, as it's up to the receiving server to deal with mail, correct? (On the other hand, I would guess DKIM is a different story, since there's no point in signing mail without a valid record, so if Fastmail isn't detecting the DKIM record properly, it won't add the necessary signature on outgoing mail?) |
22 Mar 2016, 05:23 AM | #12 | ||||
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Quote:
Quote:
Quote:
Quote:
|
||||
24 Mar 2016, 06:25 AM | #13 | |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Odd, unless your lookup poked some cache in such a way that the FastMail back-end suddenly "saw" the record. I've been messing with this technology for over 30 years, and it still seems like magic to me sometimes....
It's still fine on this end, but I'm pretty sure it was consistently not okay prior to this. Quote:
|
|
26 Mar 2016, 03:56 AM | #14 |
Essential Contributor
Join Date: Oct 2003
Posts: 327
|
FM insists that "SPF is not configured!" even though I have enabled the corresponding TXT record.
What gives? |
26 Mar 2016, 06:25 AM | #15 |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
|