Solved

SPF Record Creation Assistance

Posted on 2014-02-10
6
21 Views
Last Modified: 2016-05-22
We are looking for advice on a proper SPF record.  Our current record is as follows:
V=spf1 mx ~all

But after doing some research, it seems that we should have a different setup like this:
v=spf1 mx a ip4:xx.xx.xx.xx include:mailchimp.com ?all

Where:
1) ip4:xx.xx.xx.xx = our mail server external address
2) include:mailchimp.com = mailchimp sends marketing emails on our behalf, but through their system, not ours

We have used a few of the online SPF creation tools, but all this seemed to have done is confuse us more.  We want to make sure that our emails are received without issue on other systems, but don't want to open things up too much - especially with the mailchimp service.  Any advice/explanation would greatly be appreciated.

Thanks
0
Comment
Question by:ejscn
  • 2
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
Leon Kammer earned 168 total points
Comment Utility
SPF is as follows.

mx means that all MX records listed in the domain are allowed to send mail
a means that all a records can send email.

ipv4: allows you to specify the addresses in CIDR format (IP + subnet) that are allowed to send email

a: allows you to specify which hostnames can send email for this domain.

include: specifies which other domains (SMTP servers) are allowed to send mail for the domain.

~all is a soft fail (anything non compliant will be accepted, but will be marked as non-compliant)
-all is a hard fail (anything non compliant will be rejected)
?all is a neutral mode (anything sent will probably be received)

So, V=spf1 mx ~all specifies that all mx records and all a record ip addresses can send mail for this domain, anything that is not compliant with this, mark as non-compliant, but accept it.

Hope this helps

Cheers

Leon
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 332 total points
Comment Utility
The whole point of SPF is to prevent forgeries, and any set of rules that doesn't end in '-all' fails to do that to any significant extent. A record ending in '?all' is useless as it says 'these sources are ok, and so is anything else'.

The hardest part of SPF is nailing down your sources - for example if you have users that send via their ISP's email servers, you need to either permit that in your SPF (by including, say gmail's SPF), which introduces a lot of wiggle room for forgery, or don't allow them to do that and require them to only your own mail servers. That's easy to do in a small company, but much harder in a big one.

SPF entries are evaluated left to right, so it's best to list ip4-type parts first as they can be resolved immediately without any DNS lookups, which a, mx and include parts require.
0
 

Author Comment

by:ejscn
Comment Utility
OK, 100% of our staff send through the server itself - either through Outlook or through webaccess.  so with that in mind, would you recommend:
 
v=spf1 mx a ip4:xx.xx.xx.xx/xx include:mailchimp.com -all

Thanks
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 332 total points
Comment Utility
Nearly. This will be faster for receiving systems to process (though it has exactly the same meaning):

v=spf1 ip4:xx.xx.xx.xx/xx mx a include:mailchimp.com -all

Open in new window


The include has the biggest overhead, so that should always go last. One thing to look out for is includes that don't themselves end in '-all'; they constitute a back-door into allowing unapproved sources in your domain.
0
 

Author Comment

by:ejscn
Comment Utility
Thanks - this is really helpful.  One final (hopefully) follow-up question.  We were recently put on a spam blacklist because (it seems) of the marketing emails send through mailchimp.  Although the email addresses that received the emails signed up to get them, there were between 1500 and 2000 emails sent.  We have since been removed from the spam blacklist after contacting them, but don't want it to happen again.  Coming back full circle, would the "include:mailchimp.com" have any impact on this issue?  As an FYI - mailchimp is send the emails on behalf of information@elizajen.org, so I believe they are appearing to come from our domain.

This reason is one of the mail reasons that we began looking at the current SPF record.  In doing research on the possible causes, we were directed to look at it.

Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now