SPF IP-address in DNS-management

[__co__]

Hello,

I have a change request in the DNS-management interface.

When creating a zone in DNS-management, a custom IP-address can be provided. DA will create the zone pointing the MX-record also to the A-record with the provided IP. However, the SPF record always the primary server IP.

This doesn't make sense imo. If DA has just set another IP for handling the e-mail, it is strange that the local IP is in the SPF record. This might result in mail delivery problems.

My suggestion is when creating a zone is that the SPF record also has the provided IP, not the server's IP.


--
c0

 

[floyd]

This doesn't make sense imo. If DA has just set another IP for handling the e-mail, it is strange that the local IP is in the SPF record. This might result in mail delivery problems.

Absolutely not. Using another ip in place of the main server ip will result in mail delivery problems. The mail is going out using the main server ip by default.

It is possible to make changes to the exim.conf file to use another ip for the mail to go out on and only in that case would you want to change the SPF to be another ip in place of the server ip.

The default behavior of DirectAdmin is correct.

 

[__co__]

No, who says that de DA server has outgoing mail for that zone?

If I enter an IP-address for a zone and DA creates a MX-record with that IP, you can assume that the server on that IP handles the mail for the domain, right? So why should the SPF record tell the receiving mail server that only the DA server can send mail for the domain?

When I enter a zone with an IP other than the local one, the role of the DA server is pure a DNS server for the zone, nothing more. The DA server is NOT the e-mail handler for the zone.

 

[floyd]

The DA server is NOT the e-mail handler for the zone.

That would have been useful information in your first post.

If I enter an IP-address for a zone and DA creates a MX-record with that IP, you can assume that the server on that IP handles the mail for the domain, right?

Yes but you cannot assume that the ip you give it is the main ip of the server that is going to handle the mail especially if its a shared server. There could be hundreds of ip's on that server. The domain ip and the main server ip can easily be different.

A better suggestion would be for DA to allow you to specify the SPF record ip at the time of DNS creation. The could be a checkbox for "SPF record same as domain" and maybe a text field to specify a different ip for SPF.

It should never assume the domain ip and the SPF ip are the same.

 

[__co__]

Ok, I agree, SPF IP and domain IP don't have to be the same. But setting the DA server IP as SPF is in my opinion less logical if a MX record is created with the provided IP (telling the outside world that the provided IP handles the mail).

Anyway, the checkbox/textfield is a good solution.

 

[floyd]

But setting the DA server IP as SPF is in my opinion less logical

Only if you assume that DA should somehow be able to figure out whether that ip belongs to you or some other server.

 

[__co__]

Thinking of it, maybe it's an option not to set the SPF record at all if the entered IP is not a local one ..

 

[floyd]

How is DA going to know if its a local ip or not? Maybe you forgot to add the ip before going to DNS Administration. Only a human can know for sure if its a local ip or not.

 

[__co__]

Since DA has a nice interface for IP-management, I'm sure it can figure out whether the entered IP is within that array of addresses.

 

[floyd]

I have 10 different class C ip addresses that can be assigned to any of my 70 servers. How is it going to know?

 

[__co__]

Dude, I'm talking about locally (as in the local machine) configured IP-adresses. Who cares about other machines.

/sbin/ifconfig

 

[floyd]

Dude your still not getting it. I didn't want to have to go into detail but it looks like I am going to have to.

I already said:

How is DA going to know if its a local ip or not? Maybe you forgot to add the ip before going to DNS Administration.

Maybe you did not understand that.

In order for DA to know if the ip is local or not the ip would have to already exist on the server. Now read carefully this time. What if I have not added the ip yet? What if I forgot to add the ip to the server first? The ip can be a local ip but not added to the machine yet.

/sbin/ifconfig will only tell you what ip's have been added to the machine. It will not tell you what ip's you plan to add to the machine.

You are not seeing the big picture of all the possibilities.

So let's just be satisfied with the suggestion:

Anyway, the checkbox/textfield is a good solution.

and be done with this thread. I know I am done.

 

[DirectAdmin Support]

Hello,

I can see the issue of not wanting the SPF pointing to the DA server if the domain doesn't live on the DA box.

A checkbox for yes/no adding of the SPF would be the simplest option.

At this time, I wouldn't go as far as to add a new field to specify the IP for the spf, at most it would be a checkbox and not have the spf added at all.

One also has to keep in mind that when you mention adding a "custom" ip.. the word custom usually adds many flags to procedures, often resulting in extra steps, as a custom item tends to not follow the vanilla rule set. In this case, the result is editing or deleting the created spf record, which really isn't a huge deal. We also have templates which can be used to adjust what is added or not.. you can decide. For sometimes-yes/sometimes-no items, then the checkbox would really be the only good solution.

I'll add it to the versions system for implementation, but it may not make it into the next release, since there are simple options for overcoming this customization as described above (delete it, edit it, change the template)

John