?
Solved

SPF setup

Posted on 2004-09-16
6
Medium Priority
?
404 Views
Last Modified: 2010-04-20
HI

Am I correct in believeing that SPF is now the final and standard "Sender ID" method that will be used by most people? If so, I'd like to get some info on the configuration for my domains.

Currently all my domains have zone files that look typically like this:

----------------------------------------------------------------------
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

----------------------------------------------------------------


ie, this server is both the primary DNS AND www, ftp, mail etc host for most of my domains.

I won't have ANY "fancy" mail configurations, like relaying from other hosts etc. All my users (for all my virtual domains) use this server to send and receive e-mail, and they must authenticate before they can send.

Can someone show me by means of adding the appropriate lines to zone file above,  how a zone file should look to "work" with SPF, also, what do I need to do on my server to also make sure that all e-mail received "complies" with SPF.


0
Comment
Question by:psimation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
ID: 12074901
I'm not sure about the DNS side of things, but you will need to make changes to your MTA software if you want your server to block messages based on SPF. You don't mention what MTA you use, but there are documented HOWTOs for most of them.

Out of curiosity, how are you authing your users before they can send mail ? pop before SMTP or SMTP auth ?
0
 
LVL 17

Author Comment

by:psimation
ID: 12075106
Hi Anonymouslemming:

MTA = sendmail, and I use SMTP Auth

I read on sendmail.org that you need a milter?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12075272
I hope that the sample above isn't what you have in the zone file since it is missing A records for alpha and beta and should look like:

$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
alpha    IN  A      999.999.999.998
beta      IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

Since you only have a single MX and since that points to your only mail server the SPF information could be "v=spf1 mx -all". Which means that you'd add a TXT record for the domain, like:

             IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
              IN  TXT "v=spf1 mx -all"
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 17

Author Comment

by:psimation
ID: 12075441
HI Jim
Yes, you are right ( as always), my example is of one of my virtual domains, and the zone file for the "real" domain (the FQDN of the server) looks exactly as you state.

So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files and restart named?

Are you also using SPF on your servers, or am I barking up the wrong tree (ie, is "this the way to go"  - I don't want to waste my time setting up SPF just to find out there is another "standard" that is actually the industry standard for checking sender id?)

Do you know what needs to be done on sendmail's side in irder to also check incoming mail for SPF, and what are the implications of running it now for incoming mail while everyone might not yet be configured that way ( will it refuse mail, quarantine it or still deliver?)


0
 
LVL 40

Accepted Solution

by:
jlevie earned 1000 total points
ID: 12075925
> So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files

No it must be added immediately after the A record for the domain, like I showed above.

I've started publishing the SPF data for sites, but I haven't yet started checking it at the sendmail level. It looks to me like SPF will be widely adopted as measure of spam control, since it has reached RFC status. What I'll probably do initially is to bump the SpamAssassin score up for messages that don't have the SPF 'seal of approval" and down for those that do.

I'm not so sure about M$'s SecureID. Unless they change the license agreement it doesn't look like any of the OpenSource advocates will use it. I saw that the Apache project has rejected it on the basis of the license and have heard that others intend to announce the same.

See http://spf.pobox.com/ for lots of information about SPF.
0
 
LVL 17

Author Comment

by:psimation
ID: 12077497
Thanks Jim

0

Featured Post

WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question