Implement DNSSEC and upgrade from SPF txt to SPF type 99

Hi,

I´ve my domains  at www.nominalia.com. All of them with spf txt  normal records registerd. Now, I want to upgrade spf to the new 99 type record.

How is possible?

I also want to implement dnssec. Is possible when dns  are managed by companies like www.nominalia.com?

Best regards
heze54Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
since your DNS is hosted and managed I recommend you contact nominalia and ask them if this can be done.

eb
0
heze54Author Commented:
I edit my own records by webadmin page, because of this I need info/support.
0
Erik BjersPrincipal Systems AdministratorCommented:
but you are talking about changing the format of your zones and I am not sure you can do that with out the hosting company, if nothing else they may be able to provide the support you need.

You are paying them so give them a call and see if they can help.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

heze54Author Commented:
I have already configured spf at  my registrar to my mail servers, but is a TXT SPF record.... is old now is out SPF type 99.
0
Hind987Commented:
SPF, which currently stands for Sender Policy Framework, is a way for organizations to list valid sources of email (i.e., IP addresses) for "from addresses" in their domain. Organizations that want to publish SPF information create a TXT record in their zone file. Mail transfer agents may lookup SPF information when receiving email messages. In addition to the TXT record format, SPF now also has its own DNS RR, type 99.

Among the 1,756,827 zones with at least one working nameserver, we found 87,859 (5%) with TXT-based SPF records. We did not find any of the new SPF (type 99) records.
0
heze54Author Commented:
Hi,


where do you find this info?

An what about dnssec?
0
heze54Author Commented:
Response from registrar company-> we do not know to implement new spf records
0
shauncroucherCommented:
Hind987, that article is at http://dns.measurement-factory.com/surveys/200608.html and was written in 2006 - that was quite some time ago, I suspect the take up of SPF for example has seen some significant rises.

Great article there though, very interesting results

Shaun
0
shauncroucherCommented:
heze54,

why are you so intent on setting up these new RR records for SPF? The old values will work just fine for now, I would recommend just holding fire for the time being until the new RR have had some time to work in and become more commonplace.

Shaun
0
heze54Author Commented:
Hi,


I have and small mail server under ubuntu(kerio mailserver) up to 1 thousand mails per day.This is the final server but has a postfix gateway to filter spam, virus and more.


I have rbl, amavis, clamav, spf  but I still have serious spam attacks, directory harvest attacks and beyond. I tried to block certain countries but I have costumers from those locations and ISP.


I need to be up to date with those technologies
0
shauncroucherCommented:
You are talking about inbound SPAM issues right?

If so, creating a SPF record for your domain will not help you here as that will only be for outbound.

You should make sure you have recipient validation enabled so you only accept mail for valid recipients and make sure you have tarpitting enabled to stop the directory harvest attacks.

Then some good quality anti spam should do the rest.

Shaun
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shauncroucherCommented:
You can check SPF for senders which may aid your attempt to identify SPAM but this will be a different process than using SPF to advertise mail that is allowed to send mail FROM your domain.

Shaun
0
heze54Author Commented:
I´m working with very big companies that are NOT using SPF.... crazy!!
0
shauncroucherCommented:
SPF is an optional implementation, it has its flaws and some mail administrators choose not to use it.

I quite like the idea, but it isn't perfect and there are other methods that show more promise such as DomainKeys in my opinion.

Shaun
0
heze54Author Commented:
I can not implement domainkey at keriomailserver.

Any more techs to fight spam?
0
shauncroucherCommented:
The most important are :

REcipient Validation
tarpitting
good mix of anti-virus technology (spamasassin meant to be pretty good for linux distros)

Shaun
0
Erik BjersPrincipal Systems AdministratorCommented:
If you are having serious spam problems you can also look into anti-spam appliances

some options are
http://www.barracudanetworks.com/ns/products/
http://www.sonicwall.com/us/products/Email_Security_Anti-Spam_67.html
http://www.ironport.com
0
heze54Author Commented:
I have no money to purchase appliances hard. I know them. I´m testig astaro gateway software appliance.


What do you think?
0
shauncroucherCommented:
how are you getting on now?

shaun
0
shauncroucherCommented:
You should really distribute points here where the advice has helped you get to your resolution.

There was a fair bit of input here from myself (recommending spam software to help with your spam issue) and other experts with their input.

Shaun
0
shauncroucherCommented:
My recommendation is points split as follows:

28443388 - Best solution
28445522
28445873

Shaun
0
shauncroucherCommented:
No problem,

Thanks for the tip

Shaun
0
heze54Author Commented:
Running a astaro device
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.