[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

need help creating SPF record

Posted on 2010-01-08
8
Medium Priority
?
663 Views
Last Modified: 2012-05-08
we have a pretty simple email and DNS infrastructure, but I can't figure out what our SPF record ought to be.

Our lone email server is in house, we do not route mail through our ISP.

We have one subdomain. Should I have an SPF record on the subdomain?

This is our current SPF record, which has worked well except for one thing. Our website has a contact form, and email sent to us from the contact form comes from another mail server. This server may be one of several at the webhost (all are on the same domain).

So, what should I change to reflect that mail from our webhost server farm is also valid?
"v=spf1 a mx ~all"

Open in new window

0
Comment
Question by:pixelchef
  • 4
  • 4
8 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26213757

You would need to know something about the servers that might be sending mail. Whether that's a name, an IP, a range of IPs, or perhaps your web host has their own SPF record you can include?

Chris
0
 

Author Comment

by:pixelchef
ID: 26213852
Here are two of the web host's servers listed from recent emails:
k2smtpout05-01.prod.mesa1.secureserver.net;
k2smtpout03-01.prod.mesa1.secureserver.net;

I checked the SPF record for secureserver.net and it does not list these machines. At least, I think that's what it means. I'm obviously not the 'expert' here. Let me know if there is anything else I can provide to help.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 26213900

SecureServer.net have tonnes of SPF records... check this out:

nslookup -q=txt spf.secureserver.net

Where spf.domain.com is just a common place to stash a complex and widely used SPF record for easy maintenance and has no special meaning.

Anyway, each of those "include" statements adds in another set of systems.

It would be well worth asking your host if they have an SPF record you can include if you can?

Otherwise can can simply add those to your own SPF record?

Chris
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Accepted Solution

by:
pixelchef earned 0 total points
ID: 26284640
Based on your advice, I was able to resolve this by changing the SPF record to: v=spf1 a mx include:secureserver.net ~all. I did not have to contact anyone for this, just added the "include" statement.

However, I still would like to know if I need to have SPF records on my subdomain. Here are the current records:

HOST ... TEXT
* (All Others) v=spf1 a mx include:secureserver.net ~all            
                                                                 @ (None) v=spf1 a mx include:secureserver.net ~all            
                                                                 mail.mydomain.com. v=spf1 a mx include:secureserver.net ~all            
0
 

Author Comment

by:pixelchef
ID: 26284659
That text was not aligned properly. Try this instead.

HOST ... TEXT

* (All Others)  	v=spf1 a mx include:secureserver.net ~all
 
@ (None) 		v=spf1 a mx include:secureserver.net ~all
 
mail.mydomain.com. 	v=spf1 a mx include:secureserver.net ~all

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26284673

mail.mydomain.com is covered by *, is mail the sub-domain you meant?

Chris
0
 

Author Comment

by:pixelchef
ID: 26284850
Yes. Also, we are not sending mail from it or any other subdomain, so do I need to have an SPF record on the "all others" line?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26284870

It's to prevent other people abusing it more than anything else. That is, it helps reduce the number of people that can attempt to spoof someone@server.mydomain.com.

Chris
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Loops Section Overview

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question