Yes, that SPF record is bad. It needs to include all sources of legitimate email for your domain. Since you are using Google Apps, you need to include Google's servers.
http://support.google.com/a/bin/answer.py?hl=en&answer=178723 On Thu, Aug 16, 2012 at 5:06 PM, Merrill Oveson <[email protected]> wrote: > On Thu, Aug 16, 2012 at 4:54 PM, John Shaver <[email protected]> wrote: >> On Thu, Aug 16, 2012 at 4:09 PM, Merrill Oveson <[email protected]> wrote: >>> Pluggers: >>> >>> >>> Pretend we are xyz company. So my email is [email protected]. xyz >>> email is hosted thru gmail. >>> >>> Some of our users got an email from [email protected]. >>> Now our support team never send the email. It's obvious spam. >>> >>> The question is: If we flag the email as spam, are you flagging >>> [email protected] as spam, >>> or is gmail smart enough to know to flag the sent from ip address? >> >> This is called email spoofing. If wanted to, I could send you an >> email as [email protected] and it would come through fine. If they >> flag it as spam, then, in most spam systems, it will affect legitimate >> emails from the same email address. >> >> The most common defense I've seen people try to use for this is SPF >> records. You can specify SPF information in your DNS TXT records that >> specify which servers are allowed to send out mail from your domain. >> Unfortunately, people don't always send email out through your SMTP >> server. When they are away from the office, they may want to send >> mail from their home connection and their ISP may require them to send >> out mail via their SMTP server and block ports otherwise (this is very >> common among the big ISPs). This means that legitimate mail will be >> flagged due to SPF records. I see very few large companies using >> solid SPF records on their domain for this reason. Most are just set >> to flag, but not deny mail from other servers. >> >> The other issue is that many mail servers do not even check SPF >> records and aren't required to, although I think most do. >> >> >>> It drives me crazy that gmail doesn't show the full headers. >> >> >> Even if you showed full headers, it would be very difficult to know >> who the mail actually came from and if it was legitamate if you don't >> know how to read email headers and see what servers we can confirm >> they went to (gmails servers only know which server handed them the >> mail, any other relays could be faked in the headers). >> >> More info on email spoofing: >> >> http://en.wikipedia.org/wiki/E-mail_spoofing >> >> and Sender Policy Framework: >> >> http://en.wikipedia.org/wiki/Sender_Policy_Framework >> >> -John Shaver >> >> /* >> PLUG: http://plug.org, #utah on irc.freenode.net >> Unsubscribe: http://plug.org/mailman/options/plug >> Don't fear the penguin. >> */ > > Thanks for the responses... > > Yeah, I have an spf1 record in my DNS for our domain. > I guess gmail didn't bother to read it, or it's set up wrong. ? > > ie.: v=spf1 a mx ?all > > Or does gmail require a special spf1 record setup in their DNS? > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
