Solved

SPF setup

Posted on 2004-09-16
6
398 Views
Last Modified: 2010-04-20
HI

Am I correct in believeing that SPF is now the final and standard "Sender ID" method that will be used by most people? If so, I'd like to get some info on the configuration for my domains.

Currently all my domains have zone files that look typically like this:

----------------------------------------------------------------------
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

----------------------------------------------------------------


ie, this server is both the primary DNS AND www, ftp, mail etc host for most of my domains.

I won't have ANY "fancy" mail configurations, like relaying from other hosts etc. All my users (for all my virtual domains) use this server to send and receive e-mail, and they must authenticate before they can send.

Can someone show me by means of adding the appropriate lines to zone file above,  how a zone file should look to "work" with SPF, also, what do I need to do on my server to also make sure that all e-mail received "complies" with SPF.


0
Comment
Question by:psimation
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
Comment Utility
I'm not sure about the DNS side of things, but you will need to make changes to your MTA software if you want your server to block messages based on SPF. You don't mention what MTA you use, but there are documented HOWTOs for most of them.

Out of curiosity, how are you authing your users before they can send mail ? pop before SMTP or SMTP auth ?
0
 
LVL 17

Author Comment

by:psimation
Comment Utility
Hi Anonymouslemming:

MTA = sendmail, and I use SMTP Auth

I read on sendmail.org that you need a milter?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I hope that the sample above isn't what you have in the zone file since it is missing A records for alpha and beta and should look like:

$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
alpha    IN  A      999.999.999.998
beta      IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

Since you only have a single MX and since that points to your only mail server the SPF information could be "v=spf1 mx -all". Which means that you'd add a TXT record for the domain, like:

             IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
              IN  TXT "v=spf1 mx -all"
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Author Comment

by:psimation
Comment Utility
HI Jim
Yes, you are right ( as always), my example is of one of my virtual domains, and the zone file for the "real" domain (the FQDN of the server) looks exactly as you state.

So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files and restart named?

Are you also using SPF on your servers, or am I barking up the wrong tree (ie, is "this the way to go"  - I don't want to waste my time setting up SPF just to find out there is another "standard" that is actually the industry standard for checking sender id?)

Do you know what needs to be done on sendmail's side in irder to also check incoming mail for SPF, and what are the implications of running it now for incoming mail while everyone might not yet be configured that way ( will it refuse mail, quarantine it or still deliver?)


0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
Comment Utility
> So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files

No it must be added immediately after the A record for the domain, like I showed above.

I've started publishing the SPF data for sites, but I haven't yet started checking it at the sendmail level. It looks to me like SPF will be widely adopted as measure of spam control, since it has reached RFC status. What I'll probably do initially is to bump the SpamAssassin score up for messages that don't have the SPF 'seal of approval" and down for those that do.

I'm not so sure about M$'s SecureID. Unless they change the license agreement it doesn't look like any of the OpenSource advocates will use it. I saw that the Apache project has rejected it on the basis of the license and have heard that others intend to announce the same.

See http://spf.pobox.com/ for lots of information about SPF.
0
 
LVL 17

Author Comment

by:psimation
Comment Utility
Thanks Jim

0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now