hannah at schlund
Jul 31, 2008, 7:53 AM
Post #4 of 4
(492 views)
Permalink
|
|
Re: SPF record addition to reject backscatters
[In reply to]
|
|
Hi!
On Thu, Jul 31, 2008 at 07:56:12PM +0530, Susheel - WorldIndia.com wrote:
>Can you please clarify if i should perform the below actions?
>For e.g. i have a domain abc.com which has a MX record as spam.xyz.com and
>this MX record just receives email. abc.com sends email through different
>IPs. In this case the SPF record on abc.com should be:
>v=spf1 ip4:208.115.38.99 mx ~all
The SPF record for xyz.com should tell where mails with envelope senders
X[at]xyz.com *originate*. If the MX hosts do not *originate* mails too,
there's no need for the mx mechanism to appear. Then, the record would
be v=spf1 ip4:... (repeat as necessary) -all.
>Do i need to add a SPF record in xyz.com as well?
>spam.xyz.com. IN TXT "v=spf1 a -all"
If there are no emails ever sent with envelope sender X[at]spam.xyz.com,
you can setup the record as v=spf1 -all
No need to allow *any* IP then for *that* subdomain. Dito for any other
subdomains of xyz.com that shouldn't appear in envelope senders of
mails.
>Is this necessary? Also can you clarify if the difference of -all and ~all ?
See section 2.5.4 and 2.5.5 of RFC 4408 for details. -all causes a Fail
result for all mails that do not match any preceding entries, while ~all
causes a *SoftFail* result.
Fail says the client is *not* authorized to use the domain xyz.com,
period. For SoftFail, the RFC says:
A "SoftFail" result should be treated as somewhere between a "Fail"
and a "Neutral". The domain believes the host is not authorized but
is not willing to make that strong of a statement. Receiving
software SHOULD NOT reject the message based solely on this result,
but MAY subject the message to closer scrutiny than normal.
It's a somewhat "cowardly" statement: You aren't completely sure whether
mails that do not match previous entries are really illegitimate. You
have a tendency that they are usually not legitimate, but you're not
completely sure whether all your roaming domain users really use VPNs or
your mail submission agent (e.g. using the MSA port), or whatever
mechanism to ensure that *all* legitimate mails originate from the
designated hosts.
If you can be 100% sure that all your legitimate mails from xyz.com are
sent from the specified IPs, use -all. Use ~all only if you can't be
sure and rather want to permit some illegitimate mail than forbid some
mail from your users that have not setup their roaming clients (laptops,
home offices, whatever) correctly. (With -all, you'd force them to fix
their setups instead.)
Kind regards,
Hannah.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
|
