Spf!!!

R

rmxs

Verified User
Joined
Jan 14, 2007
Messages
133
I talk with microsoft about junk mails and sugest me this for spf..
We also reviewed the SPF record for your domain and note that it includes the "?all" termination . The purpose of an SPF is to allow Hotmail to verify that traffic coming in from a particular IP is authorized to send on behalf of your domain. It works by giving Hotmail a test to run. If sender passes the test, then mail is authorized for the domain. Otherwise, such mail may be negatively routed through our network. Below I have provided a copy of your current SPF record for your reference:



v=spf1 a mx ip4:211.111.111.111 ?all



We would highly recommend updating your SPF record terminator mechanism to either ~all or -all.



The ~all enables IPs to be authorized if it fails tests delineated in SPF. Hotmail will accept this statement but traffic may earn higher spam weight. If the Sender ID check does not pass any of the arguments within an SPF record with this terminator a "Soft Fail" is returned.



The -all enables IPs to be authorized only if it passes tests delineated in SPF record. Hotmail prefers this end statement. If the Sender ID check does not pass any of the arguments within an SPF record with this terminator a "Fail" is returned. Whereas the "?all" termination in your SPF tells Hotmail to accept traffic even if it comes from an IP not listed in your SPF. This opens you to spoofing and phishing attempts and Hotmail will not accept such a suggestion.
Click to expand...

directadmin create ?all by default y this,and y hotmail suggest onother way?
 
Last edited:
Funny, we just had this discussion at a meeting I attended yesterday.

Yes, it needs to be changed to ~.

Years ago it may even have been I who suggested otherwise, but use of spf has evolved.

John?

Jeff
 
lol..

me to i talk about this in one meeting before 2 days that y i ask microsoft about..

so next update maybe neen to have this also..
 
Yes, -all or ~all is better than ?all.
The reason we had ?all was because clients often had port 25 shut off to them by their ISP. This would mean the sending IP is their ISP and not their webhost. That would mean that - or ~ would be considered a spoof and the email will fail for sure.

However, we now have port 587 for that.. so if a client is unable to send to their host on port 25, they should change their port to 587. This would allow the SPF to be set to ~all or -all.

So ~all is slightly less strict than -all, but slightly more open to spoofs.. and slightly more forgiving though. So ~all is probably the better choice over -all.

I will change it to ~all for the next release in the dns_txt.conf file.

John
 
Thanks John. Can you tell us all an easy way to change it?

What would I do? I'd run a single-line perl script to edit all the /var/named/*.db files, and then run the DA command to update the serial number (required if you use master/slave DNS) and restart DNS.

Jeff
 
jlasman:

Change SPF record for all zones:
Code: 
cd /var/named
perl -pi -e 's/\?all/\~all/' *.db
echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d
Change it to be the default one for new domains:
Code: 
cd /usr/local/directadmin/data/templates/custom
cp ../dns_txt.conf .
perl -pi -e 's/\?all/\~all/' dns_txt.conf
That's it.
 
Thanks to both of you who replied at almost the same time.

Now we have it in the record :).

Jeff
 
Hello,

It wouldn't be a bad idea.
DirectAdmin will not change an existing zone, so if you want the updated spf record for existing zones, you'd have to run it.

John
 
You must log in or register to reply here.
Back
Top