On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
prometheus.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
otherwise only @example.com *itself* is protected from forging, our
homegrown DNS backend automatcially publishes SPF records for every
hostname in every domain
This might be a case to use the include so that each host can include
(read: pull in) the SPF record for the parent domain.
Obviously it depends on how your infrastructure is configured.
also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for
free, the MX is not relevant on the destination server when receive
email as long as you force the lookup by careless SPF records
I think that it may be possible for someone to publish a PTR record in
their IP space that reverse resolves to a name of one of your MX
servers. There by allowing their bogus server to send email as you.
--
Grant. . . .
unix || die
--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users