This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.
are TXT (SPF) records global for sub-domains?
I have a SPF record for my top-level domain, structuredweb.com. see "dig" outputs below. as part of our operations we send emails from swmail.structuredweb.com (64.14.55.140) in which the Return-Path is an address under "inbound.structuredweb.com
however, when i look at the headers of a typical email, i see that google approves this sender, as if it's honoring the SPF record for the top-level domain.
Is there any standard here? can I assume SPF records affect sub-domains unless there is a specific record on the sub-domain? the last example shows "campaigns.structuredweb.c
1) ========== email header ===========
Received-SPF: pass (google.com: domain of
XCAM_xxx@inbound.structure
permitted sender) client-ip=64.14.55.140
2) ===== dig for txt record of structuredweb.com ============
$ dig @dns025.b.register.com structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com structuredweb.com txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;structuredweb.com. IN TXT
;; ANSWER SECTION:
structuredweb.com. 14400 IN TXT "v=spf1 a:swmail01.structuredweb.c
;; Query time: 31 msec
;; SERVER: 216.21.232.25#53(216.21.23
;; WHEN: Fri Mar 26 11:20:24 2010
;; MSG SIZE rcvd: 144
3) ===== dig of inbound.structuredweb.com =============
$ dig @dns025.b.register.com inbound.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com inbound.structuredweb.com txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53828
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;inbound.structuredweb.com
;; AUTHORITY SECTION:
structuredweb.com. 14400 IN SOA dns174.a.register.com. root.register.com. 2009070226 28800 7200 604800 14400
4) ===== dig of campaigns.structuredweb.co
$ dig @dns025.b.register.com campaigns.structuredweb.co
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com campaigns.structuredweb.co
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;campaigns.structuredweb.c
;; ANSWER SECTION:
campaigns.structuredweb.co
;; Query time: 32 msec
;; SERVER: 216.21.232.25#53(216.21.23
;; WHEN: Fri Mar 26 11:29:41 2010
;; MSG SIZE rcvd: 109
however, when i look at the headers of a typical email, i see that google approves this sender, as if it's honoring the SPF record for the top-level domain.
Is there any standard here? can I assume SPF records affect sub-domains unless there is a specific record on the sub-domain? the last example shows "campaigns.structuredweb.c
1) ========== email header ===========
Received-SPF: pass (google.com: domain of
XCAM_xxx@inbound.structure
permitted sender) client-ip=64.14.55.140
2) ===== dig for txt record of structuredweb.com ============
$ dig @dns025.b.register.com structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com structuredweb.com txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;structuredweb.com. IN TXT
;; ANSWER SECTION:
structuredweb.com. 14400 IN TXT "v=spf1 a:swmail01.structuredweb.c
;; Query time: 31 msec
;; SERVER: 216.21.232.25#53(216.21.23
;; WHEN: Fri Mar 26 11:20:24 2010
;; MSG SIZE rcvd: 144
3) ===== dig of inbound.structuredweb.com =============
$ dig @dns025.b.register.com inbound.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com inbound.structuredweb.com txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53828
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;inbound.structuredweb.com
;; AUTHORITY SECTION:
structuredweb.com. 14400 IN SOA dns174.a.register.com. root.register.com. 2009070226 28800 7200 604800 14400
4) ===== dig of campaigns.structuredweb.co
$ dig @dns025.b.register.com campaigns.structuredweb.co
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com campaigns.structuredweb.co
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;campaigns.structuredweb.c
;; ANSWER SECTION:
campaigns.structuredweb.co
;; Query time: 32 msec
;; SERVER: 216.21.232.25#53(216.21.23
;; WHEN: Fri Mar 26 11:29:41 2010
;; MSG SIZE rcvd: 109
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Shaun,
your answer matches what i would expect, but then how come google PASSes the SPF test for inbound.structuredweb.com without any SPF record created for this sub-domain? are you saying they use the top-level SPF definition, find a match, then apply it to this sub-domain?
i think i will create the definition for inbound.structuredweb.com just in case
your answer matches what i would expect, but then how come google PASSes the SPF test for inbound.structuredweb.com without any SPF record created for this sub-domain? are you saying they use the top-level SPF definition, find a match, then apply it to this sub-domain?
i think i will create the definition for inbound.structuredweb.com just in case
No, it shouldn't use the top-level SPF definition in my experience.
Can you post the header info?
Especially this bit: Received-SPF: pass (google.com: domain of noreply@experts-exchange.c
Can you post the header info?
Especially this bit: Received-SPF: pass (google.com: domain of noreply@experts-exchange.c
shaun,
the header info regarding the SPF was posted above in my original post. what is funny, i decided to add a specific TXT record for inbound.structredweb.com and it seems as far as google is concerned there is no difference! i'm going to keep the record as it cannot hurt and it is adviced policy.
header before setting TXT record for inbound.structuredweb.com (original post)
==========================
Received-SPF: pass (google.com: domain of
XCAM_11523149377689@inboun
permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
XCAM_11523149377689@inboun
permitted sender) smtp.mail=XCAM_11523149377
header from new email after setting TXT record for inbond.structuredweb.com
==========================
Received-SPF: pass (google.com: domain of XCAM_11527319400880@inboun
Authentication-Results: mx.google.com; spf=pass (google.com: domain of XCAM_11527319400880@inboun
the header info regarding the SPF was posted above in my original post. what is funny, i decided to add a specific TXT record for inbound.structredweb.com and it seems as far as google is concerned there is no difference! i'm going to keep the record as it cannot hurt and it is adviced policy.
header before setting TXT record for inbound.structuredweb.com (original post)
==========================
Received-SPF: pass (google.com: domain of
XCAM_11523149377689@inboun
permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
XCAM_11523149377689@inboun
permitted sender) smtp.mail=XCAM_11523149377
header from new email after setting TXT record for inbond.structuredweb.com
==========================
Received-SPF: pass (google.com: domain of XCAM_11527319400880@inboun
Authentication-Results: mx.google.com; spf=pass (google.com: domain of XCAM_11527319400880@inboun
That is a little odd, perhaps gmail will try further down the hierachy for SPF, but this isn't the way SPF was designed to operate so it may be a gmail specific setting.
In any case, think creating the TXT is a good idea, at least you know this will work for all other servers querying for SPF details.
Shaun
In any case, think creating the TXT is a good idea, at least you know this will work for all other servers querying for SPF details.
Shaun
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
So, if the envelope header is from swmail.xxxxx.com then that will need its own dedicated SPF.
A lack of SPF may also considering any mail items as a 'PASS' or 'unknown' depending on the software and semantics used.
Bottom line, no, the SPF for top level is not used for all subdomains.
Shaun