SPF Record Nightmare

S

SteveK42

Verified User
Joined
Jul 11, 2004
Messages
43
While we're still using ~all, it appears from the wizard on the spf.pobox.com site that the current proper procedure is to use ?all.

I've always said that SPF is way too immature for anyone to bounce based on it; this just shows me I'm right.

Jeff
 
Stupid Verizon + SPF

So it appears that Verizon is now starting to enforce spf on incoming mail. What do we need to do in order to get spf records added by default for every domain created under directadmin?
 
DirectAdmin has been adding SPF records by default for some time now; they add the generic recommended SPF record, or at least what used to be the generic recommended SPF record.

If you want the change the "~" to a "?", or make any other changes, then you should copy

/usr/local/directadmin/data/templates/named.db

to

/usr/local/directadmin/data/templates/custom/named.db

and in the latter position make any changes you wish.

Then all newly created domains will have the new records.

To rewrite DNS for all domains according to the custom template:
Code: 
# echo "action=rewrite&value=named" > /usr/local/directadmin/data/task.queue

As for us; we've rewritten all with "?all" instead of "~all", and I'm going to recommend the same to DirectAdmin staff for future udpates.

Jeff
 
Hello,

Changed to ? for next release.
It will only affect newly created domain, domains that are updated/changed (ie: add a subdomain). Or if the rewrite command is issued (above).

John
 
I've got a couple of cPanel boxes, and it appears they have added SPF to the zone templates as well in the latest release. Would you mind if I asked for a comparison?

In cPanel, each new domain has the following added:

mydomain.com. IN TXT "v=spf1 a mx ptr"

In DA, we have:

mydomain.com. IN TXT "v=spf1 a mx ip4:11.222.33.44 ~all"

I've been reading the SPF draft http://spf.pobox.com/draft-mengwong-spf-01.txt but can't seem to wrap my brain around just what the differences are here. Jlasman, could you help? Both of these are on shared servers, so the IP will be used by other domains. The Reverse DNS can be set for my own domain, but right now it goes back to the hosting service that provides the servers. Just what is the inclusion of the IP and the ~all doing for me in the second one, and what would the absense of them cause in the first. Thanks!
 
On http://spf.pobox.com/wizard.html, it will change from ?all to ~all if you answer yes to the following question:

"Do the above lines describe all the hosts
that send mail from domain.com?"

Therefore, if you configure your SPF records correctly, ~all should be fine.

Matt
 
retroweb, how can you possibly answer that question for all your clients and for their domains?

Do you know they'll never use their ISP's mailservers?

Do you know they'll never send an email from their friend's home or office?

Do you know they'll never send an email (perhaps while at Starbucks or Barnes and Noble, or while logged in through AOL) through an ISP that transparently redirects all outgoing email through their own mailserver?

It's most certainly not fine to limit your clients so that if they're ever in one of those positions their email won't go through.

Jeff
 
retroweb said:
...if you configure your SPF records correctly, ~all should be fine.
Click to expand...

My customers can access their own DNS records, and therefore can set their own SPF record.

If they know what they're doing, ~all should be fine. ?all is a better solution by default for DA though, IMHO.

Matt
 
You're right...

if they can figure out the problem.

If they're trying to send email from an AOL account, though, or from the account of another ISP that uses redirection, they may never figure it out.

That's why I'm now using and recommending ?.

Jeff
 
You must log in or register to reply here.
Back
Top