Solved

SPF at Verio

Posted on 2006-10-25
21
1,672 Views
Last Modified: 2010-01-18
I have a domain hosted at Verio. I recently became aware that my domain did not have an SPF record established that would impede spammers from using my domain (I get LOTS of emails bounced back to me referencing email addresses that do not exist at my domain).  When I connected with Verio, they indicated that SPF was not something they actively support.  I tried to research how it should be done, and used the wizard at http://www.openspf.org/wizard.html to generate the string that needs to be in the zone file, but when I subsequently ran a test at dnsreport.com it showed me a crash error, so I promptly rolled back the file.  Shouldn't I be using SPF? And, if so, can someone help me set this up?

Patrick Driscoll
**url removed by humeniuk PE - http:/help.jsp#hi106 **
0
Comment
Question by:padraic526
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
21 Comments
 
LVL 33

Expert Comment

by:humeniuk
ID: 17803438
An SPF record is very useful, so it is a good idea to use one.  If Verio won't support it, however, you should not use them for your DNS service.  For example, I use www.dnsmadeeasy.com for all of my domains/websites and I can set up an SPF easily and quickly.
0
 

Author Comment

by:padraic526
ID: 17803520
Forgive my newbie-like response when I ask what you mean by my DNS service?  Do you mean switching the registration from Verio to dnsmadeeasy.com as opposed to switching web host?
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17803730
No.  There are three elements related to hosting.  1) domain registration, 2) DNS service, 3) web hosting.  You use your domain registrar (1) controls to point your domain to the nameservers where the DNS records for your domain reside.  Whoever provides those nameservers is your DNS service provider (2) - that is where you configure your DNS records, ie. a host record pointing www.yourdomain.com to the IP address of your web server or an SPF record.  Your web host (3) is whoever provides the space on a web server where your website resides.

Often some of these are combined, but they don't need to be.  In other words, most domain registrars and hosting companies offer DNS service.  You can use one or the other or a third party service like in the example I included above.  On the other hand, it is always a bad idea to have your domain registration and hosting in one place.
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 

Author Comment

by:padraic526
ID: 17804326
I have now switched to dnsmadeeasy.com and have added two domains there. I have also run the SPF wizard and added a TXT record.  Now, I don't know if things are set up correctly.  I imagine I have to wait for propagation before checking at dnsreports.com?
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17804395
You will have to wait for propagation for the SPF to take full effect, but  www.dnsreport.com should pick up the change now.  Run the report and see if your new nameservers are listed.  If so, you don't have to wait.
0
 

Author Comment

by:padraic526
ID: 17804628
Nameservers still refer to verio.
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17804830
Did you configure the domain to point to the dns made easy nameservers using your registrar's control panel?
0
 

Author Comment

by:padraic526
ID: 17805012
No, I did not (I knew there was one thing I left out).  Now, I look at the nameserver list provided by dnsmadeeasy and I see that they gave me five (ns0.dnsmadeasy.com through ns4.dnsmadeeasy.com, each with a different IP). My control panel at Verio only shows two.  Do I enter ns0... and ns1...?

0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17805055
Did you register the domain at Verio?

If there are only two spaces, you can only use two.  One of the two should be your primary nameserver as listed in your SOA record.  This is probably ns0.dnsmadeeasy.com, so you can try ns0 and ns1.  When you do the DNS report, confirm that ns0 is listed as your primary nameserver.
0
 

Author Comment

by:padraic526
ID: 17805200
You're being very helpful. I will add the ns0 and ns1.  

Should I be concerned about any items on the status column at dnsreport.com stating "WARN", such as SOA MNAME Check?
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17805233
That's kind of subjective.  Generally for things that say 'WARN', I don't worry about them too much, but correct them if I can.  Sometimes there's nothing you can do based on what your host's config is or something along those lines.

However, I have no doubt that there are some people who take them much more seriously than I do and others who take them less seriously.
0
 

Author Comment

by:padraic526
ID: 17805247
This particular warning says, "SOA MNAME Check WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: feed11.verio-web.com.. However, that server is not listed at the parent servers as one of your NS records! This is probably legal, but you should be sure that you know what you are doing.  "
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17805376
It will still work, but the SOA record should show the correct master nameserver.  I think that is worth fixing.  You should update the SOA record to use ns0.dnsmadeeasy.com as your master nameserver.

This is a bit more complex than creating a basic host record.  You can see how to do it here:

Create SOA -
http://support.dnsmadeeasy.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=97

Configure SOA (once you have created it) -
http://support.dnsmadeeasy.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=66
0
 

Author Comment

by:padraic526
ID: 17805671
OK, I've added the SOA and applied it to the domain.  I have a separate domain that points to the primary one.  How should this be handled?

Separately, I still see the Verion nameserver in the dnsreport.  Should this have upated to dnsmadeeasy.com already?

0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17806082
If you can give me your actual domain, I can take a look and give you a better idea.

Does the secondary domain redirect to the first one or are you using a CNAME or something like that?
0
 

Author Comment

by:padraic526
ID: 17806126
mediligence.com (this is the primary one).  I also have medmarketdiligence.com, which points to the other.
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17807506
If you have changed your nameservers as shown here - www.verio.com/support/documents/view_article.cfm?doc_id=3794 - then it seems to be just a propagation issue for now.  Double-check your configuration using the directions in the link and then give it until tomorrow to see where things stand.

Incidentally, according to that document, you can add multiple nameservers, not just two.
0
 

Author Comment

by:padraic526
ID: 17819590
The good news is my nameservers have updated to dnsmadeeasy.com.  The question I have is on one item listed as "FAIL" on the dnsreport.  It says:

Reverse DNS entries for MX records      ERROR: None of your mail server(s) seem to have reverse DNS (PTR) entries (I didn't get any responses for them). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server).
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17822371
That doesn't seem to be the case now:

"Reverse DNS entries for MX records
OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have ... (etc.)"
0
 

Author Comment

by:padraic526
ID: 17822431
Thank you, yes, I see it has now updated.

Last question.  If you saw the dnsreport, you may have seen "WARN" items.  The two I am curious as to whether I should fix are (1) the SOA minimum TTL value and (2) the Single Point of Failure.  

let me say that I run my own business and frequently have to wear many hats, which sometimes gets me out of my element (sometimes **way** out).  It has been refreshing to run into someone providing assistance that has been professional, prompt and, most importantly (as best I can tell) right on the mark. So I thank you.
0
 
LVL 33

Accepted Solution

by:
humeniuk earned 400 total points
ID: 17822509
The single point of failure warning is speculative.  It says, "... If they share the same firewall, this results in a single point of failure ..." - this is not the case with DNS Made Easy.

Regarding the SOA minimum TTL, I wouldn't worry too much about it, but that's just my opinion.  I think there are plenty of people who would make a case for increasing it to 3600 per RFC 2308.


"let me say that I run my own business and frequently have to wear many hats, which sometimes gets me out of my element (sometimes **way** out).  It has been refreshing to run into someone providing assistance that has been professional, prompt and, most importantly (as best I can tell) right on the mark. So I thank you."

And thanks to you, Patrick.  That comment makes my day and it's the kind of thing that makes participating at EE worthwhile.
0

Featured Post

 Database Backup and Recovery Best Practices

Join Percona’s, Architect, Manjot Singh as he presents Database Backup and Recovery Best Practices (with a Focus on MySQL) on Thursday, July 27, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7). In the case of a failure, do you know how long it will take to restore your database?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
What You Need to Know when Searching for a Webhost Provider
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question