Just to throw my 2-cents worth in here... but I think (e.g.: my opinion)
that Jake's SPF record recommendation is too restrictive. The A record
for your domain very likely may not be the same server as your mail
server (in other words, your main web server -- usually the A record for
your domain -- may not be your mail server too...)
My "preferred" SPF entry would, therefore, include an MX enrtry to add
ALL of the MX records from your domain:
"v=spf1 a mx -all"
As for having all those "extra" SPF records, there apparently needs to
be some explanation of how SPF works... to make it as simple as
possible, let's just look at the processing of an SPF check:
- I get mail from [EMAIL PROTECTED] (a FAKE e-mail address, to be sure!)
- I do a DNS TXT lookup for the domain -- effectively, a "dig txt
qmt.com", or more up-to-date, "dig spf qmt.com"
- I look up the SPF records there (and see "v=spf1 a mx -all")
- I look up the A record & MX record(s) of the domain (dig a qmt.com &
dig mx qmt.com)
- I compare the IP address SENDING the message against the IP addresses
discovered above
- If there is a match, you PASS SPF checking
- If there is NO match, you FAIL SPF checking & I block you (the -all)
So, you really only need the SPF record for the DOMAINs you send/receive
mail with... and the extra TXT records for mail*.solowtech.com &
http*.solowtech.com won't actually affect anything for the domain
solowtech.com (which is, presumably, the domain of your emails).
Thus, although you dismiss your first SPF entry as being "just your web
host", the fact that IT includes both A and MX entries is why your SPF
is working!
Now, if you have other hosts that may send e-mail on behalf of your
domain, but are NOT also mail servers (like a backup server, or
alternate web server that want to send logs or alerts), then you just
add those servers to your ONE SPF record... like this:
"v=spf1 a mx ip4:71.21.142.30 -all"
Now, SPF checking mail servers will accept messages from the
solowtech.com domain so long as they come from:
- The A record for solowtech.com (67.212.79.197)
- Any of the MX records for solowtech.com (only 67.212.79.220 currently)
- The IP Address of 71.21.142.30 (the ip4 option)
SO... since this is the holiday season, I'll do most of the work for you
and say that:
1) you should probably have a backup mail server (you currently have
only the 1 MX record, you should have more)
2) If all of the hosts in your posting below are supposed to be valid
sources of email, and
'mail.solowtech.com resolves to 67.212.79.198
'mail2.solowtech.com resolves to 67.212.79.198 too
'mail17.solowtech.com resolves to 67.212.79.220
'mail21.solowtech.com resolves to 67.212.79.221
'http2.solowtech.com resolves to 67.212.79.198 too
THEN, your SPF record may need to look like:
"v=spf1 a mx ip4:67.212.79.198 ip4:67.212.79.221 -all"
HOWEVER, since 197 (a) & 220(mx) are already there, you COULD get
fancy and use the prefix option and get the same using
"v=spf1 a/30 mx/31 -all"
which equates to your A record with a 30-bit prefix -- effectively,
67.212.79.196-199...
plus your MX record with a 31-bit prefix (67.212.79.220-221)
You MIGHT want to use the REAL netmasks that you might control... e.g.:
"v=spf1 a/19 -all"
which would equate to 67.212.79.192-223
Sigh.... SO MANY possibilities!
I hope this helps!
Dan
IT4SOHO
"We make IT work for small business!"
Paul Heard wrote:
Hi Jake,
Thanks for your extra effort. You are the best.
I test my DK using [EMAIL PROTECTED]
Its crazy how many different test emails will give
Back different results.
This address works for me, and yahoo is accepting My DK.
Your point about spf is interesting.
My spf records check out in several tests,
But you are correct in your observation that
The A record and MX box will not resolve to the
Same IP.
I think my spf records for this domain may be wrong.
'solowtech.com:v=spf1 a mx -all:3600
'mail.solowtech.com:v=spf1 a -all:3600
'mail2.solowtech.com:v=spf1 a -all:3600
'mail17.solowtech.com:v=spf1 a -all:3600
'mail21.solowtech.com:v=spf1 a -all:3600
'http2.solowtech.com:v=spf1 a -all:3600
The first entry is just for a web host.
Rarely sends mail.
The other entries are all running qmail of some form.
My DNS servers serve the same data file.
I hear what you are saying about the 12 hours,
24-48 hours, but I wish I could say that's been
My experience.
I have been working on this for over a month.
Forms, phone calls, DK, SPF...
The cron queue flush was out of desperation.
Having said that, I've been running it now
For a day, the yahoo mail is going through...
Fire and gasoline...
Thanks Jake.
-----Original Message-----
From: Jake Vickers [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2008 7:19 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] yahoo deferrals fix
Paul Heard wrote:
Hi Jake,
Not sure why qmail is not succeeding in the 5 minute retries.
I have my contacts in my yahoo account I just checked.
They have been in there for weeks, still not whitelisted.
I will create a few more accounts to see if it helps...
Just doing some checks on your email's domain (solowtech.com, assuming
that's the domain that cannot send to Yahoo).
Your DNS servers have different serial values, so you probably have 2
different zone records, one on each server.
For your SPF records, you have this:
"v=spf1 a -all"
That says that the A record for your domain is the one that sends mail.
That's fine if example.com and mail.example.com resolve top the same IP,
but incorrect if they do not (someone correct me if I'm wrong on that -
rusty on my SPF).
Your messages seem to be signed with domain keys, but I would also
double check them against a server that tests domainkeys for you. Just
do a search, there's several that will do this for you. If each of your
DNS servers is serving different data, then you may have domainkeys on
one zone record, but not on the other. Yahoo may be checking the
keyfile against the wrong DNS server (the one that may not have the data).
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
