Thanks Bruce. Your policies are exactly in line with what I was thinking.
I really appreciate everyone's input on this. It seemed a bit intimidating, and while I'm probably not 100% proficient, I do feel better about exactly what I'm putting in mine now, and what the consequences are! Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Barnes Sent: Friday, September 21, 2007 10:29 AM To: [email protected] Subject: RE: [IMail Forum] OT: SPF Gurus As an ISP, we provide this same listing for EACH of our hosted customers - it's automatically created when we setup their DNS record. We limit the address range for the specific customer to only the IP address of the MAIL SERVER that serves the hosted account. If they send out acknowledgements via a website, say for purchase confirmations, etc, we also list the IP address of the server on which their webhosting account is located. This allows e-mail to originate from EITHER the MAIL SERVER or the WEB SERVER, causing all mail originating from either to be fully SPF compliant. Always use MUNUS ALL, never TILDE ALL. Minus all limits to only the IP ADDRESS stated in the SPF statement, TILDE ALL means they can send via ANY IP ADDRESS - sort of overrides the whole purpose for SPF. As for the deadline, give them 30 days to comply. The longer you wait, the longer the joe-jobbers can claim to be sending from your (their) addresses. While not perfect, SPF does help a lot in that is has become the "caller id" of e-mail and can be used to verify that a specific server is authorized to send for a particular domain, but ONLY if you use a MINUS ALL at the end of the SPF statement. Bruce Barnes -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, September 21, 2007 10:09 To: [email protected] Subject: RE: [IMail Forum] OT: SPF Gurus Thanks Darin. That sounds good. One last (quick) question. Until I can confirm that the users are using only our servers (or set a deadline for them to switch to), am I better off leaving them with no SPF record, or is there something more "generic" that I should use in the meantime. Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 21, 2007 9:45 AM To: [email protected] Subject: Re: [IMail Forum] OT: SPF Gurus I would go with "v=spf1 mx ip4:216.81.209.193/27 -all" That says your mx record is a valid originator, and your ip range is as well (for web-based forms or other smtp servers). Don't forget you need to add this to each and every domain you host, checking with the customer first to make sure they will not send other than through your servers. Nothing worse than publishing a policy to the world and then violating it... Darin. ----- Original Message ----- From: "Todd Richards" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, September 21, 2007 10:15 AM Subject: RE: [IMail Forum] OT: SPF Gurus Thanks Darin. I think I will send a blast to our users and, if they are using their email on a laptop or at home, explain how to set up to send through our servers on the alternate port (or make them all change then shut down port 25!). That said, then each of their SPF records could be more specific, such as: "v=spf1 ip4:216.81.209.218 -all" Or " v=spf1 mx:mail.nnepa.com -all" Right? Then I would still want OUR SPF record to cover more servers, and could then go with "v=spf1 ip4:216.81.209.193/27 -all" OR " v=spf1 ip4:216.81.209.218 ip4:216.81.209.210, etc -all" (for each possible server sending mail) Does that sound right? Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, September 20, 2007 8:21 PM To: [email protected] Subject: Re: [IMail Forum] OT: SPF Gurus | | When a server checks the message, do they look at Mary's domain | (virtualdomain.com) or the domain of the mail server (in this case, | mail.nnepa.com)? >They look at her IP address and compare it to your domain. Not exactly. They compare her IP to her SPF policy. So her domain's SPF record should contain references to all mail servers she may use to send email. | | Also, if a user is at home and has to send through their home ISP's SMTP | server (unless they use our alternate port), how will that effect the SPF | record? >If the ISP uses SPF, it would cause the mail to be rejected. Unless you use soft fail, but there's not much point in using soft fail. Unfortunately SPF never was fully implemented, and a recursive policy lookup feature was never added. To use SPF effectively, you need to have them send through your servers only, not their ISP. | | Thanks! | | Todd | | | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox | Sent: Thursday, September 20, 2007 3:51 PM | To: [email protected] | Subject: Re: [IMail Forum] OT: SPF Gurus | | Hi Todd, | | You only need to specify the IPs if you send mail for the domain in question | | from those IPs. It sounds like you were not sending from your MX, but from | another IP, so you do need to ensure that the IPs that you send from are on | your SPF record. Also, to use SPF you do need an SPF record for each | domain. | | Darin. | | | ----- Original Message ----- | From: "Todd Richards" <[EMAIL PROTECTED]> | To: <[email protected]> | Sent: Thursday, September 20, 2007 2:09 PM | Subject: [IMail Forum] OT: SPF Gurus | | | Hi Everyone - I know this is a little off topic, but I discovered that some | there might be some issues with our SPF record, as well as those of our | clients, resulting in mail being rejected. So I'm going back to the drawing | board. | | Overview: Our mail server has one primary domain with the rest all virtual. | | Up until now, our main domain (nnepa.com) was using "v=spf1 mx -all" for | it's SPF record. For all the domains, they were also using the same thing. | | | One of the clients who had messages failing to a local university started | asking questions of the university admin ("why are my messages to my | daughter never making it?") He explained that the SPF record on their | domain was wrong, and suggested the following: | "v=spf1 mx ip4:216.81.209.0/24 -all" | | I implemented this for them and they were able to then send email. The | problem is, by my understanding, is that we do not own that entire block of | IP addresses. So I was going to refine it a little and use | "v=spf1 ip4:216.81.209.193/27 ~all" | ,which would cover our block. | | The question I have is a) does anyone see any harm in doing this, and b) | should this be set up for each of the domains as well? | | I was on OpenSPF's website, which is great. But I'd really appreciate any | thoughts that you might have. | | Todd | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | | | | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html | List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ | Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ | To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
