update spf all users

[Richard G]

(all times you are a master of Directadmin)

Oh no I'm not by far, but thank you for the compliment.

But after show activitie any change on any domain of server.

Correct. If you make changes there, these changes are only for newly created domains, or new account restores you make.
It does not affect any existing records.

I see you have found my post about it. Did you use the command I mentioned in there to update all existing records?

 

[castris]

Yes I see.

But I reply post, because it's not work, almost for me, o for my mistake. ?? https://forum.directadmin.com/threads/update-spf-all-users.69878/post-381637

 

[castris]

Opps.. I don't see. Is second page of post...

 

[dbbrito]

Agreed, but this one can be a bit tricky for a beginner so I will give an example.

cd /usr/local/directadmin/data/templates/custom
cp ../dns_txt.conf .

then edit this dns_txt.conf file in the custom directory and add your include so it looks like this:

|DOMAIN|.="v=spf1 a mx ip4:|SERVER_IP||EXTRA_SPF||SPF_IPV6| include:_spf.domain.com ~all"

This is only for newly created domains, to update existing records you have to use this command:
/usr/local/directadmin/directadmin taskq --run "action=rewrite&value=named" --debug 400

Next time, check docs first, there is a load of info in there. If you don't understand it or it doesn't work, you can always ask us.

Hi Richard, my server is like this, I linked the IPv6 to the IPv4 and whenever I add a client and choose an IPv6, the DA creates the account and already records the DNS in IPv4 and IPv6 and the site already responds normally in IPv4 and IPv6, the problem is that the SPF is recorded with the server's IPv4 but with another IPv6 different from the IP I selected when creating the user, is there any way to customize it so that it always gets the user's IP?
Thank you

 

[Richard G]

and whenever I add a client and choose an IPv6

So you give all your clients a different ipv6? You can do that, but why should you?

Indeed with the |SPF_IPV6| tag the server ipv6 will be choosen as far as I know. And normally mail is send from the server ipv6. Or did you configure it another way so users will send mail from their own ipv6?

 

[dbbrito]

So you give all your clients a different ipv6? You can do that, but why should you?

Indeed with the |SPF_IPV6| tag the server ipv6 will be choosen as far as I know. And normally mail is send from the server ipv6. Or did you configure it another way so users will send mail from their own ipv6?

Yes, each user has their own IPv4 and IPv6, so as not to run the risk of an IP being spammed and all users being spammed. After we started providing an IP for each user, this problem ended.
When the reseller creates a user, they choose an available IPv6 that has 1 IPv4 linked to it. The DA automatically creates the DNS records in IPv4 and IPv6, and the site is ready to use in both formats.
My DA is already configured so that Exim sends emails from the user's IP, but after I added IPv6, it is sending emails from new accounts always using the same IPv6.
When I used only IPv4, each account sent emails correctly using its own IPv4.
Thank you

 

[Richard G]

Hmmz... oke sorry, I don't know how that works. Maybe in this case the ipv6 does not need to be connected to the ipv4. But I'm not sure. Maybe some other config is required.
I haven't work with configs where everybody got their own ipv6.
Maybe @zEitEr knows a solution for you or anybody else reading this.

 

[dbbrito]

Hmmz... oke sorry, I don't know how that works. Maybe in this case the ipv6 does not need to be connected to the ipv4. But I'm not sure. Maybe some other config is required.
I haven't work with configs where everybody got their own ipv6.
Maybe @zEitEr knows a solution for you or anybody else reading this.

Ok, but regarding sending emails, do all your users share the same IP? Have you never had problems with spam across all users?

 

[Richard G]

do all your users share the same IP?

Yes that's why it's called shared hosting.
Users are using the server's ip to send mail, also the helo/ehlo is the server's hostname like probably most are doing it here.

Spam is send to mail addresses, it doesn't really care about ip adresses. I even had accounts not on my server, never used and suddenly spam came in.

Once a while it can be some customer uses a leak script or get's hacked and then spam gets send out. But it's not too much and we get notices instantly and then we can take appropriate action and take care we won't land on RBL's or only very shortly.

You are correct, if you give every customer their own ip and have them send mail via ipv6, only that ipv6 mostly is blocked when something goes wrong. However, it's also extra work, adjusting Exim etc. so all those seperate ip's and names are used in the helo/ehlo when sending mail and the SPF records.

 

[zEitEr]

Hello,

Maybe @zEitEr knows a solution for you or anybody else reading this.

Thank you for tagging me. Actually a default SPF template looks like the following:

v=spf1 a mx ip4:|SERVER_IP||EXTRA_SPF||SPF_IPV6|

1. First one can use extra_spf_value= setting in directadmin and specify a full IPv6/64 subnet.
2. Secondly, since a and mx are mentioned here, then domain's A and AAAA assigned to domain.com and mail.domain.com will be allowed too.

See:

All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.

If domain is not specified, the current domain is used.

- https://dmarcian.com/spf-syntax-table/

To recap, the default template with extra_spf_value should cover the needs in allowing individual and server IPv6.