• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1287
  • Last Modified:

Proper format for SPF DNS record

We use a third-party listserv to send email to our memebers. Some of them bounce because of improper SPF DNS entry.

This is what we have currently:

v=spf1 a mx include:onedomain.net include:anotherdomain.com -all

The " include:onedomain.net include:anotherdomain.com" are for other domains we send email from.

The server that the emails in question come from is listserv.ourdomain.org.

Do I need our new SPF record to look like:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

Thanks
0
CANLLC
Asked:
CANLLC
  • 5
  • 4
1 Solution
 
DrDave242Commented:
Have you seen the SPF record generators online?  There are a few out there, and they'll greatly simplify the process of generating an SPF record by asking you a series of easy-to-understand questions.  Here's Microsoft's SPF wizard, for example:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
CANLLCAuthor Commented:
Yes, I did and they helped me with what I had but I'm not certain I formated my entries properly. For example, should I have

a:listserv.ourdomain.org

or

a:listserv

Should it even be a:?
0
 
DrDave242Commented:
Sorry for the delay; work is interfering.  Is it only e-mails originating from a particular domain (ourdomain.org, onedomain.net, or anotherdomain.com) that are bouncing?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
CANLLCAuthor Commented:
Yes, only emails sent from ourdomain.org are bouncing. A listserv company does mass email from their server which has the the name listserv.ourdomain.org.

The bounce says:

550 SPF check failed. Sender not authorized

Tech support from the listserv company said:

"It's looking for a SPF record for the subdomain, which would be listserv.ourdomain.org"

We have and SPF record that says:

v=spf1 a mx include:onedomain.net include:anotherdomain.com -all

but I want to know if it should say the following to account for the listserv mail server:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all



0
 
DrDave242Commented:
If the server's name is listserv and your domain is named ourdomain.org, the initial standalone "a" would account for listserv.ourdomain.org as well as any other host records in ourdomain.org, but if listserv is actually a subdomain and the server has a host record within the subdomain, yes, you should add "a:listserv.ourdomain.org".  I wouldn't go with the "~all" mechanism at the end, though.  That's going to soft-fail anything that doesn't match another mechanism, which will most likely result in those messages being accepted but marked as possible spam.  Better to fail it outright with "-all" unless you've got a compelling reason to do otherwise.
0
 
CANLLCAuthor Commented:
When I asked the list serv admin about our SPF record and if it was correct:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

He replied:

"Actually no, you need the MTA IP address or A record in there. So either include the lsoft.com record, or include the IP subnet.  And it looks like you put that in the top-level SPF record for nasfaa.org.  There's no need to do that.  You can make a separate TXT record for listserv.nasfaa.org that includes the LSOFT.COM MTA info."

So what would that SPF record look like?
0
 
DrDave242Commented:
The domain names are confusing me now.  Is nasfaa.org what you previously referred to as ourdomain.org?  And how does lsoft.com relate to all of this?
0
 
CANLLCAuthor Commented:
Sorry, in my rush I forgot to sanitize my response :

Here is what I should have said:


When I asked the list serv admin about our SPF record and if it was correct:

v=spf1 a:listserv.ourdomain.org include:onedomain.com include:anotherdomain.net ~all

He replied:

"Actually no, you need the MTA IP address or A record in there. So either include the lsoft.com record, or include the IP subnet.  And it looks like you put that in the top-level SPF record for ourdomain.org.  There's no need to do that.  You can make a separate TXT record for listserv.ourdomain.org that includes the LSOFT.COM MTA info."

(LSOFT.COM is the domain for the third party company we use to send the emails)

So what would that SPF record look like?
0
 
DrDave242Commented:
You will need a mechanism to include lsoft.com's outbound servers.  If their outbound mail servers are the same as their inbound servers and they all have MX records, adding "mx:lsoft.com" should do it.  If they have outbound servers that are not mentioned in MX records but do have public A records, "a:lsoft.com" will cover them.  If you happen to know the IP addresses of all of their outbound servers, you can add them directly with "ip4:<ip_address>."  You can also use "ip4:<network>/<mask>" to add a range of addresses in CIDR format.  This will speed up mail delivery a little bit because fewer records will have to be checked on the receiving end, but you may have to modify the record if the addresses ever change.

I'm not really sure why the listserv admin suggests creating a second record.  If the mail they send out for you has your domain name in the "From" field, it should all be in your SPF record.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now