Solved

SPF setup

Posted on 2004-09-16
6
401 Views
Last Modified: 2010-04-20
HI

Am I correct in believeing that SPF is now the final and standard "Sender ID" method that will be used by most people? If so, I'd like to get some info on the configuration for my domains.

Currently all my domains have zone files that look typically like this:

----------------------------------------------------------------------
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

----------------------------------------------------------------


ie, this server is both the primary DNS AND www, ftp, mail etc host for most of my domains.

I won't have ANY "fancy" mail configurations, like relaying from other hosts etc. All my users (for all my virtual domains) use this server to send and receive e-mail, and they must authenticate before they can send.

Can someone show me by means of adding the appropriate lines to zone file above,  how a zone file should look to "work" with SPF, also, what do I need to do on my server to also make sure that all e-mail received "complies" with SPF.


0
Comment
Question by:psimation
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
ID: 12074901
I'm not sure about the DNS side of things, but you will need to make changes to your MTA software if you want your server to block messages based on SPF. You don't mention what MTA you use, but there are documented HOWTOs for most of them.

Out of curiosity, how are you authing your users before they can send mail ? pop before SMTP or SMTP auth ?
0
 
LVL 17

Author Comment

by:psimation
ID: 12075106
Hi Anonymouslemming:

MTA = sendmail, and I use SMTP Auth

I read on sendmail.org that you need a milter?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12075272
I hope that the sample above isn't what you have in the zone file since it is missing A records for alpha and beta and should look like:

$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
alpha    IN  A      999.999.999.998
beta      IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

Since you only have a single MX and since that points to your only mail server the SPF information could be "v=spf1 mx -all". Which means that you'd add a TXT record for the domain, like:

             IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
              IN  TXT "v=spf1 mx -all"
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 17

Author Comment

by:psimation
ID: 12075441
HI Jim
Yes, you are right ( as always), my example is of one of my virtual domains, and the zone file for the "real" domain (the FQDN of the server) looks exactly as you state.

So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files and restart named?

Are you also using SPF on your servers, or am I barking up the wrong tree (ie, is "this the way to go"  - I don't want to waste my time setting up SPF just to find out there is another "standard" that is actually the industry standard for checking sender id?)

Do you know what needs to be done on sendmail's side in irder to also check incoming mail for SPF, and what are the implications of running it now for incoming mail while everyone might not yet be configured that way ( will it refuse mail, quarantine it or still deliver?)


0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 12075925
> So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files

No it must be added immediately after the A record for the domain, like I showed above.

I've started publishing the SPF data for sites, but I haven't yet started checking it at the sendmail level. It looks to me like SPF will be widely adopted as measure of spam control, since it has reached RFC status. What I'll probably do initially is to bump the SpamAssassin score up for messages that don't have the SPF 'seal of approval" and down for those that do.

I'm not so sure about M$'s SecureID. Unless they change the license agreement it doesn't look like any of the OpenSource advocates will use it. I saw that the Apache project has rejected it on the basis of the license and have heard that others intend to announce the same.

See http://spf.pobox.com/ for lots of information about SPF.
0
 
LVL 17

Author Comment

by:psimation
ID: 12077497
Thanks Jim

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question