Proper format for SPF DNS record

We use a third-party listserv to send email to our memebers. Some of them bounce because of improper SPF DNS entry.

This is what we have currently:

v=spf1 a mx include:onedomain.net include:anotherdomain.com -all

The " include:onedomain.net include:anotherdomain.com" are for other domains we send email from.

The server that the emails in question come from is listserv.ourdomain.org.

Do I need our new SPF record to look like:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

Thanks
CANLLCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DrDave242Commented:
Have you seen the SPF record generators online?  There are a few out there, and they'll greatly simplify the process of generating an SPF record by asking you a series of easy-to-understand questions.  Here's Microsoft's SPF wizard, for example:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
CANLLCAuthor Commented:
Yes, I did and they helped me with what I had but I'm not certain I formated my entries properly. For example, should I have

a:listserv.ourdomain.org

or

a:listserv

Should it even be a:?
0
DrDave242Commented:
Sorry for the delay; work is interfering.  Is it only e-mails originating from a particular domain (ourdomain.org, onedomain.net, or anotherdomain.com) that are bouncing?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

CANLLCAuthor Commented:
Yes, only emails sent from ourdomain.org are bouncing. A listserv company does mass email from their server which has the the name listserv.ourdomain.org.

The bounce says:

550 SPF check failed. Sender not authorized

Tech support from the listserv company said:

"It's looking for a SPF record for the subdomain, which would be listserv.ourdomain.org"

We have and SPF record that says:

v=spf1 a mx include:onedomain.net include:anotherdomain.com -all

but I want to know if it should say the following to account for the listserv mail server:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all



0
DrDave242Commented:
If the server's name is listserv and your domain is named ourdomain.org, the initial standalone "a" would account for listserv.ourdomain.org as well as any other host records in ourdomain.org, but if listserv is actually a subdomain and the server has a host record within the subdomain, yes, you should add "a:listserv.ourdomain.org".  I wouldn't go with the "~all" mechanism at the end, though.  That's going to soft-fail anything that doesn't match another mechanism, which will most likely result in those messages being accepted but marked as possible spam.  Better to fail it outright with "-all" unless you've got a compelling reason to do otherwise.
0
CANLLCAuthor Commented:
When I asked the list serv admin about our SPF record and if it was correct:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

He replied:

"Actually no, you need the MTA IP address or A record in there. So either include the lsoft.com record, or include the IP subnet.  And it looks like you put that in the top-level SPF record for nasfaa.org.  There's no need to do that.  You can make a separate TXT record for listserv.nasfaa.org that includes the LSOFT.COM MTA info."

So what would that SPF record look like?
0
DrDave242Commented:
The domain names are confusing me now.  Is nasfaa.org what you previously referred to as ourdomain.org?  And how does lsoft.com relate to all of this?
0
CANLLCAuthor Commented:
Sorry, in my rush I forgot to sanitize my response :

Here is what I should have said:


When I asked the list serv admin about our SPF record and if it was correct:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

He replied:

"Actually no, you need the MTA IP address or A record in there. So either include the lsoft.com record, or include the IP subnet.  And it looks like you put that in the top-level SPF record for ourdomain.org.  There's no need to do that.  You can make a separate TXT record for listserv.ourdomain.org that includes the LSOFT.COM MTA info."

(LSOFT.COM is the domain for the third party company we use to send the emails)

So what would that SPF record look like?
0
DrDave242Commented:
You will need a mechanism to include lsoft.com's outbound servers.  If their outbound mail servers are the same as their inbound servers and they all have MX records, adding "mx:lsoft.com" should do it.  If they have outbound servers that are not mentioned in MX records but do have public A records, "a:lsoft.com" will cover them.  If you happen to know the IP addresses of all of their outbound servers, you can add them directly with "ip4:<ip_address>."  You can also use "ip4:<network>/<mask>" to add a range of addresses in CIDR format.  This will speed up mail delivery a little bit because fewer records will have to be checked on the receiving end, but you may have to modify the record if the addresses ever change.

I'm not really sure why the listserv admin suggests creating a second record.  If the mail they send out for you has your domain name in the "From" field, it should all be in your SPF record.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.