adriaan said:
A default of
domain2.com. IN TXT "v=spf1 ~all"
just means: "nobody is allowed to send mail with a sender domain of domain2.com, but we'll allow it anyway because we don't want to have any trouble"
That's not quite what the inventor of SPF says on
his website.
He says:
SPF queries that do not match any other mechanism will return "softfail".
Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny.
(Highlighting is mine.)
A better default would be (IMHO):
domain2.com. IN TXT "v=spf1 a mx ptr -all"
This means:
"the hosts that are listed in the A, MX and PTR records of domain2.com are allowed te send mail with a sender domain of domain2.com, anybody else is rejected"
This also means (as you do point out below) that if the user, like many, is using his ISP to send email, either because he wants to, or because his ISP doesn't allow outbound email through port 25 except through their own mailservers, or because (like some including AOL) all outbound email on port 25 is transparently redirected through their own mailservers) the user's mail will be rejected by anyone using SPF. These exceptions, many of which are hard to figure out and create a major support headache, are why I recommend "~all".
Or, when you also want to allow the SMTP server of the domain owner's ISP:
domain2.com. IN TXT "v=spf1 a mx ptr ip4:ip-address-of-ISP-SMTPhost -all"
Which works fine if your ISP has only one mail server. None of the big ISPs have only one mail server and with most of them you don't know which mail server you're getting so you need to get a list of all of the mailservers they may use, by IP# (not an easy task for most ISPs, who want to keep them as secret as possible for security). Since ISPs hardly ever have MX records pointing to their outgoing mailservers, also for security purposes, you can't depend on mx for the list of IP#s either.
If you still don't like the -all part, a safer default would be to replace the -all by ~all.
This way, most SPF records would contain reasonable information, but still no mail should be rejected because of the ~all part.
Just using
domain2.com. IN TXT "v=spf1 ~all"
won't get us anywhere in the long run, because the objective of SPF, the publication of hosts that are allowed to send mail for a certain domain, is completely ignored.
I'm the person who originally recommended ~all to DA before they offered any support for SPF at all, and I recommended it as a temporary solution.
It shouldn't be necessary to do anything else yet, because SPF won't be successful (because of the many points I've brought up above) until a fundamental change is made in the RFCs as to how outgoing email is handled.
Some suggestions have already been made (I believe I've already written about them in other posts on these forums) to use other ports for all email to be relayed through email servers. implementation is actually fairly easy on exim, but it requires that all your clients switch to SMTP AUTH on another port.
I just saw that this subject has been discussed before:
http://www.directadmin.com/forum/showthread.php?s=&threadid=3770
and as i look into
/usr/local/directadmin/data/templates/named.db
I see a default of
|DOMAIN|. IN TXT "v=spf1 a mx ip4:|SERVER_IP| ~all"
so apparently DA has a better default setting now.
The mistake was mine; I was in error when I originally asked DA to use "-all"; that was an error that lasted a very short time as I informed them promptly of my mistake. But at least one version of DA was installed with the "-all" default by mistake.
All that said, here's what I use:
"v=spf1 a mx ip4:12.34.56.78 ~all"
where 12.34.56.78 is replaced by the main IP# of the server in question.
I suppose that's what DA should be using as a default now. What do you think?
Thanks for your thoughtful comments.
Jeff
.