I would go with "v=spf1 mx ip4:216.81.209.193/27 -all"
That says your mx record is a valid originator, and your ip range is as well (for web-based forms or other smtp servers). Don't forget you need to add this to each and every domain you host, checking with the customer first to make sure they will not send other than through your servers. Nothing worse than publishing a policy to the world and then violating it... Darin. ----- Original Message ----- From: "Todd Richards" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, September 21, 2007 10:15 AM Subject: RE: [IMail Forum] OT: SPF Gurus Thanks Darin. I think I will send a blast to our users and, if they are using their email on a laptop or at home, explain how to set up to send through our servers on the alternate port (or make them all change then shut down port 25!). That said, then each of their SPF records could be more specific, such as: "v=spf1 ip4:216.81.209.218 -all" Or " v=spf1 mx:mail.nnepa.com -all" Right? Then I would still want OUR SPF record to cover more servers, and could then go with "v=spf1 ip4:216.81.209.193/27 -all" OR " v=spf1 ip4:216.81.209.218 ip4:216.81.209.210, etc -all" (for each possible server sending mail) Does that sound right? Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, September 20, 2007 8:21 PM To: [email protected] Subject: Re: [IMail Forum] OT: SPF Gurus | | When a server checks the message, do they look at Mary's domain | (virtualdomain.com) or the domain of the mail server (in this case, | mail.nnepa.com)? >They look at her IP address and compare it to your domain. Not exactly. They compare her IP to her SPF policy. So her domain's SPF record should contain references to all mail servers she may use to send email. | | Also, if a user is at home and has to send through their home ISP's SMTP | server (unless they use our alternate port), how will that effect the SPF | record? >If the ISP uses SPF, it would cause the mail to be rejected. Unless you use soft fail, but there's not much point in using soft fail. Unfortunately SPF never was fully implemented, and a recursive policy lookup feature was never added. To use SPF effectively, you need to have them send through your servers only, not their ISP. | | Thanks! | | Todd | | | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox | Sent: Thursday, September 20, 2007 3:51 PM | To: [email protected] | Subject: Re: [IMail Forum] OT: SPF Gurus | | Hi Todd, | | You only need to specify the IPs if you send mail for the domain in question | | from those IPs. It sounds like you were not sending from your MX, but from | another IP, so you do need to ensure that the IPs that you send from are on | your SPF record. Also, to use SPF you do need an SPF record for each | domain. | | Darin. | | | ----- Original Message ----- | From: "Todd Richards" <[EMAIL PROTECTED]> | To: <[email protected]> | Sent: Thursday, September 20, 2007 2:09 PM | Subject: [IMail Forum] OT: SPF Gurus | | | Hi Everyone - I know this is a little off topic, but I discovered that some | there might be some issues with our SPF record, as well as those of our | clients, resulting in mail being rejected. So I'm going back to the drawing | board. | | Overview: Our mail server has one primary domain with the rest all virtual. | | Up until now, our main domain (nnepa.com) was using "v=spf1 mx -all" for | it's SPF record. For all the domains, they were also using the same thing. | | | One of the clients who had messages failing to a local university started | asking questions of the university admin ("why are my messages to my | daughter never making it?") He explained that the SPF record on their | domain was wrong, and suggested the following: | "v=spf1 mx ip4:216.81.209.0/24 -all" | | I implemented this for them and they were able to then send email. The | problem is, by my understanding, is that we do not own that entire block of | IP addresses. So I was going to refine it a little and use | "v=spf1 ip4:216.81.209.193/27 ~all" | ,which would cover our block. | | The question I have is a) does anyone see any harm in doing this, and b) | should this be set up for each of the domains as well? | | I was on OpenSPF's website, which is great. But I'd really appreciate any | thoughts that you might have. | | Todd | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | | | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
