Solved

SPF at Verio

Posted on 2006-10-25
21
1,541 Views
Last Modified: 2010-01-18
I have a domain hosted at Verio. I recently became aware that my domain did not have an SPF record established that would impede spammers from using my domain (I get LOTS of emails bounced back to me referencing email addresses that do not exist at my domain).  When I connected with Verio, they indicated that SPF was not something they actively support.  I tried to research how it should be done, and used the wizard at http://www.openspf.org/wizard.html to generate the string that needs to be in the zone file, but when I subsequently ran a test at dnsreport.com it showed me a crash error, so I promptly rolled back the file.  Shouldn't I be using SPF? And, if so, can someone help me set this up?

Patrick Driscoll
**url removed by humeniuk PE - http:/help.jsp#hi106 **
0
Comment
Question by:padraic526
  • 11
  • 10
21 Comments
 
LVL 33

Expert Comment

by:humeniuk
ID: 17803438
An SPF record is very useful, so it is a good idea to use one.  If Verio won't support it, however, you should not use them for your DNS service.  For example, I use www.dnsmadeeasy.com for all of my domains/websites and I can set up an SPF easily and quickly.
0
 

Author Comment

by:padraic526
ID: 17803520
Forgive my newbie-like response when I ask what you mean by my DNS service?  Do you mean switching the registration from Verio to dnsmadeeasy.com as opposed to switching web host?
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17803730
No.  There are three elements related to hosting.  1) domain registration, 2) DNS service, 3) web hosting.  You use your domain registrar (1) controls to point your domain to the nameservers where the DNS records for your domain reside.  Whoever provides those nameservers is your DNS service provider (2) - that is where you configure your DNS records, ie. a host record pointing www.yourdomain.com to the IP address of your web server or an SPF record.  Your web host (3) is whoever provides the space on a web server where your website resides.

Often some of these are combined, but they don't need to be.  In other words, most domain registrars and hosting companies offer DNS service.  You can use one or the other or a third party service like in the example I included above.  On the other hand, it is always a bad idea to have your domain registration and hosting in one place.
0
 

Author Comment

by:padraic526
ID: 17804326
I have now switched to dnsmadeeasy.com and have added two domains there. I have also run the SPF wizard and added a TXT record.  Now, I don't know if things are set up correctly.  I imagine I have to wait for propagation before checking at dnsreports.com?
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17804395
You will have to wait for propagation for the SPF to take full effect, but  www.dnsreport.com should pick up the change now.  Run the report and see if your new nameservers are listed.  If so, you don't have to wait.
0
 

Author Comment

by:padraic526
ID: 17804628
Nameservers still refer to verio.
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17804830
Did you configure the domain to point to the dns made easy nameservers using your registrar's control panel?
0
 

Author Comment

by:padraic526
ID: 17805012
No, I did not (I knew there was one thing I left out).  Now, I look at the nameserver list provided by dnsmadeeasy and I see that they gave me five (ns0.dnsmadeasy.com through ns4.dnsmadeeasy.com, each with a different IP). My control panel at Verio only shows two.  Do I enter ns0... and ns1...?

0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17805055
Did you register the domain at Verio?

If there are only two spaces, you can only use two.  One of the two should be your primary nameserver as listed in your SOA record.  This is probably ns0.dnsmadeeasy.com, so you can try ns0 and ns1.  When you do the DNS report, confirm that ns0 is listed as your primary nameserver.
0
 

Author Comment

by:padraic526
ID: 17805200
You're being very helpful. I will add the ns0 and ns1.  

Should I be concerned about any items on the status column at dnsreport.com stating "WARN", such as SOA MNAME Check?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 33

Expert Comment

by:humeniuk
ID: 17805233
That's kind of subjective.  Generally for things that say 'WARN', I don't worry about them too much, but correct them if I can.  Sometimes there's nothing you can do based on what your host's config is or something along those lines.

However, I have no doubt that there are some people who take them much more seriously than I do and others who take them less seriously.
0
 

Author Comment

by:padraic526
ID: 17805247
This particular warning says, "SOA MNAME Check WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: feed11.verio-web.com.. However, that server is not listed at the parent servers as one of your NS records! This is probably legal, but you should be sure that you know what you are doing.  "
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17805376
It will still work, but the SOA record should show the correct master nameserver.  I think that is worth fixing.  You should update the SOA record to use ns0.dnsmadeeasy.com as your master nameserver.

This is a bit more complex than creating a basic host record.  You can see how to do it here:

Create SOA -
http://support.dnsmadeeasy.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=97

Configure SOA (once you have created it) -
http://support.dnsmadeeasy.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=66
0
 

Author Comment

by:padraic526
ID: 17805671
OK, I've added the SOA and applied it to the domain.  I have a separate domain that points to the primary one.  How should this be handled?

Separately, I still see the Verion nameserver in the dnsreport.  Should this have upated to dnsmadeeasy.com already?

0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17806082
If you can give me your actual domain, I can take a look and give you a better idea.

Does the secondary domain redirect to the first one or are you using a CNAME or something like that?
0
 

Author Comment

by:padraic526
ID: 17806126
mediligence.com (this is the primary one).  I also have medmarketdiligence.com, which points to the other.
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17807506
If you have changed your nameservers as shown here - www.verio.com/support/documents/view_article.cfm?doc_id=3794 - then it seems to be just a propagation issue for now.  Double-check your configuration using the directions in the link and then give it until tomorrow to see where things stand.

Incidentally, according to that document, you can add multiple nameservers, not just two.
0
 

Author Comment

by:padraic526
ID: 17819590
The good news is my nameservers have updated to dnsmadeeasy.com.  The question I have is on one item listed as "FAIL" on the dnsreport.  It says:

Reverse DNS entries for MX records      ERROR: None of your mail server(s) seem to have reverse DNS (PTR) entries (I didn't get any responses for them). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server).
0
 
LVL 33

Expert Comment

by:humeniuk
ID: 17822371
That doesn't seem to be the case now:

"Reverse DNS entries for MX records
OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have ... (etc.)"
0
 

Author Comment

by:padraic526
ID: 17822431
Thank you, yes, I see it has now updated.

Last question.  If you saw the dnsreport, you may have seen "WARN" items.  The two I am curious as to whether I should fix are (1) the SOA minimum TTL value and (2) the Single Point of Failure.  

let me say that I run my own business and frequently have to wear many hats, which sometimes gets me out of my element (sometimes **way** out).  It has been refreshing to run into someone providing assistance that has been professional, prompt and, most importantly (as best I can tell) right on the mark. So I thank you.
0
 
LVL 33

Accepted Solution

by:
humeniuk earned 400 total points
ID: 17822509
The single point of failure warning is speculative.  It says, "... If they share the same firewall, this results in a single point of failure ..." - this is not the case with DNS Made Easy.

Regarding the SOA minimum TTL, I wouldn't worry too much about it, but that's just my opinion.  I think there are plenty of people who would make a case for increasing it to 3600 per RFC 2308.


"let me say that I run my own business and frequently have to wear many hats, which sometimes gets me out of my element (sometimes **way** out).  It has been refreshing to run into someone providing assistance that has been professional, prompt and, most importantly (as best I can tell) right on the mark. So I thank you."

And thanks to you, Patrick.  That comment makes my day and it's the kind of thing that makes participating at EE worthwhile.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now