Sender ID Framework SPF Record Wizard

Discussion in 'DNS Server' started by Phil, Jun 25, 2005.

  1. In
    Actually SenderID uses an implementation of SPF along with XML. But I do
    agree that XML is somewhat a bloated method, and will require additional
    bandwidth, not much, but it can add up. I would rather just stick with the
    plain old SPF TXT record type. It would be nice if there was an
    implementation in the future for a specific SPF record instead of using a
    TXT record.

    Ace
     
    Ace Fekay [MVP], Jun 27, 2005
    #21
    1. Advertisements

  2. Phil

    Phil Guest

    I'm sure Microsoft didn't make the decision lightly and without
    considering
    Ace,

    My whole complaint deals with the poor instructions and support by Microsoft
    for those of us who aren't DNS experts. I do not take issue on Microsoft's
    attempt to reduce SPAM.

    I'm once more confused. I assumed Sender ID and SPF were one and the same
    technology.
    http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx

    That's news to me. My server sends thousands of emails to AOL every day,
    and I've never heard a single recipient complain that their incoming email
    from our server is being tagged as SPAM.

    I thought all I needed to do was tweak my DNS records. Now you are telling
    me I most obtain a 3rd party tool in order to comply with MSN and Hotmail?

    Look, I don't mean to sound rude, but I have better things to do than spend
    3 hours trying to uncover the meaning of the latest acronym technology being
    trumpeted by Microsoft. I am now on day 4 on my trek, and I'm still as
    confused today as I was on Friday when I came across the news that MSN and
    Hotmail will be flagging incoming email as SPAM unless mail servers start
    complying.
    That's correct. And even the expert in the article uses the term "strong
    arm" in regards to Microsoft. Why then am I incorrect in echoing an
    expert's opinion?

    Phil
     
    Phil, Jun 27, 2005
    #22
    1. Advertisements

  3. In
    There is that option XML component. I don't think many will jump to use that
    quite yet, but that's a possibility.
    No, not yet. If your system is on an RBL or doesn't have a PTR, they just
    deny the email. If you are getting thru, fine. They are not requireing SPF
    quite yet, but they are heading in that direction.
    To send to them, you will need an SPF record, is what they are saying. I am
    saying is if this is adopted industry wide, for you to receive ONLY SPF'd
    domains, you will need to have a 3rd party tool. I've been using Vamsoft ORF
    for myself and my clients and it halts about 99% of junk coming in before it
    hits the INformation Store. It doesn't support SPF yet, but they will
    eventually offer that feature. I don't know what you are using at this time
    to prevent spam at the MTA, but checking for SPF can help, but it may also
    hurt and may stop you from receiving legit mail. Until the industry adopts
    this as a mandate, that is something you will need to decide if you want it.
    As with any industry, everyone has their own terminology. Microsoft is just
    using terminology for this industry.

    Hotmail and MSN are just saying you need an SPF record, that's it.
    Misunderstanding? I'm not necessarily a follower, so I don't necessarily
    agree with most things I read out there. I just try to analyze it to see how
    it affects me or my clients, especially knowing that this SPF stuff will
    eventually be adopted industry wide sooner or later.

    But I'm sorry to hear you feel that way.
    I hope you were able to get your SPF records in order.

    Ace
     
    Ace Fekay [MVP], Jun 27, 2005
    #23
  4. Phil

    Phil Guest

    Ace,

    No, I do not believe I have gotten them in order. I have not had anyone
    confirm whether I need to enter a SPF TXT record for every single one of my
    virtual domains on IIS 5. Must I enter an SPF TXT item for every single
    virtual domain that is hosted on my server? If I host 50 domains, and all
    50 use the mail server (which is also on the same server as IIS), then must
    I add 50 new SPF records?

    Phil
     
    Phil, Jun 27, 2005
    #24
  5. Phil

    Herb Martin Guest

    There are plenty of inexpensive servers and many free ones
    Mercury (free), Hmail (free), Exim (I am running this on Win2003
    although it is nominally a Unix/Linux product); there are others.

    Sendmail and QMail can be made to work on Windows. IIS 6
    comes with both SMTP and POP (earlier versions came with only
    SMTP) but I am not necessarily recommending that, just pointing
    out that it exists and if you have Windows 2003 you have both
    of these -- and with ealier versions you have the SMTP server.

    Then you need to learn about your server, read the manual, ask some
    IMail people (I thought Kevin mentioned it too), or get a new server.

    I would bet that I could find it within 5-30 minutes and you should be
    able to do so now also, since you NOW know what you are seeking.

    BTW, this is nothing to do with Microsoft or SPF but something, you
    should get right now, and for many years in the past it has been a virtual
    requirement.
    You cut the part where I ACTUALLY wrote, "...trivial...or mildly
    challenging...".

    It may or may not be dishonest to so chop someone's statement in quotation
    and
    then respond as if that is the totality but it is usually irritating and not
    conducive
    to asking for help from people who are trying to assist you, but
    continuing....
    Actually it can be trivial -- if all will use the same "spf record" (include
    or redirect to
    the main domain) then a perl (etc) script can run through all of the 'other
    199'
    zones faster than you can likely create the initial record.

    All of my zones except LearnQuick.Com will redirect to the learnquick.com
    SPF record. (I have thirty or so which isn't quite as bad as 200.)

    It would be easier to do than all the belly-aching you have so far exhibited
    (separate from the later decent questions you have mixed in with the
    complaining).

    It's also a PITA to try to help people who would rather complain than
    find the answers and fix problems but some of us do it anyway <grin>
     
    Herb Martin, Jun 27, 2005
    #25
  6. Phil

    Herb Martin Guest

    All I know is that come November ALL email sent to Hotmail and MSN will be
    Have you seen an actual Microsoft announcement of this?

    Where is it? Does it say "an SPF record" or something like
    "and full and complete SPF record terminated by -all"

    If not the latter, you could just right your SPF this way:

    v=spf1 +all

    It would be worthless TO YOU except to 'authorize' every spammer
    in the world to send on behalf of your domain but it would cover you
    in all but the specific case where MS requires -all (which I doubt they
    will do in the first iteration.)

    Likely "any" record will be acceptable at first. And later they will
    require at least a software ~all perhaps then finally a -all to terminate
    the record.
    That's bull -- they are saying how they will CHOOSE to accept email.

    You may do the same if you wish (to live with the consequences.)

    No one has ANY obligation to accept YOUR email, just as you have no
    obligation to accept email from others.

    (With some minor exceptions for empty <> messages due to RFC.)
     
    Herb Martin, Jun 27, 2005
    #26
  7. Phil

    Herb Martin Guest

    Here are some quotes from the article that triggered my recent trek of

    Notice the word "Potential" -- I am doing this today, "marking
    as MORE LIKELY Spam" not blocking.

    Kevin will (usually) reject your email OUTRIGHT if you send
    him an improperly authorized email (I know because he was
    kind enough to let me test my setup against his until I perfected
    my SPF which was rather complicated.)
    And in this case you complaining is irrelevant since it deals with something
    that may never happen -- although I personally hope it does.

    We can knock out a LOT of SPAM if everyone has proper SPF -- starting
    with the PHONY bounces (joe jobs) to those who didn't send the email
    in the first place.
    And you don't find that the links they (MS) provide to SPF.pobox.com
    are SIMPLE?

    My situation was very complex, and yet I found what I needed there.

    (For a small company my SPF is amazingly trickly.)

    nslookup -q=txt learnquick.com

    nslookup -q=txt spf.learnquick.com

    (You need both, since my SPF was so long that I felt it necessary to
    include another record, i.e, spf.learnquick.com -- eventually though,
    I am going to put it ALL into spf.learnquick.com and spf2, etc.)

    All of my other domains can just include: or redirect: to learnquick.com
    however.

    (I think I found a high instance of bugs in current SPF software when using
    "redirect" though, so my preference is for "include" -- maybe that was my
    own error however so I need to revisit this.)
     
    Herb Martin, Jun 27, 2005
    #27
  8. Phil

    Herb Martin Guest

    No, I do not believe I have gotten them in order. I have not had anyone
    If you even asked that question you should separate it from the moaning
    and kvetching and place it clearly at the top of the post - -or even in
    the subject line.

    BTW, I more or less answered it already just because it seemed you SHOULD
    have asked this question if it bothered you.

    The answer is: YES, if you wish to protect your domains with SPF records
    you will need a record for EACH DNS zone.

    These can be trivial because all but the "main domain" can be:

    v=spf1 redirect=maindomain.com

    (I believe I have the above correct but the principle is there.)
    I thought it was 200 domains? Well no matter, 20, 50, 200, 2000, after the
    first dozen or so you just write a script to put in the redirect for all but
    the
    first one.
     
    Herb Martin, Jun 27, 2005
    #28
  9. Phil

    Phil Guest

    All I know is that come November ALL email sent to Hotmail and MSN will
    be
    Yes. And I gave Andrew the link that started this whole headache for me:


     
    Phil, Jun 28, 2005
    #29
  10. Phil

    Phil Guest

    All I know is that come November ALL email sent to Hotmail and MSN will
    be
    Yes. And I already gave Andrew the link that started this whole headache
    for me:

    http://tinyurl.com/c7eg3


    You can read the article yourself and judge for yourself. Just keep in
    mind as your read the article that this was the first time I had ever heard
    of Sender ID and SPF, and therefore what impact do you think this article
    would have upon a person like myself with very little DNS experience? At
    the end of the article ask yourself, "OK, what should I do to comply?" and
    then notice that there are no links that say "Click here to see the simple
    steps required to comply..."


    As I have said before, I have no problem with Microsoft trying to cut down
    the SPAM flow. My issue is that there are no simple tutorials provided for
    those like me who are not experts at DNS maintenance.


    Phil
     
    Phil, Jun 28, 2005
    #30
  11. Phil

    Phil Guest


    The article that I quoted made it very clear that the Sender ID requirement
    WAS going to happen without any question.

    http://tinyurl.com/c7eg3

    My "complaining" (as you call it) was in fact a quote from the article. And
    what you describe as "something that may never happen" is not the way the
    Microsoft representative in the article described the Sender ID requirement.
    The MS rep. said it was going to happen at Hotmail and MSN in November, not
    that it "might" happen.

    Phil
     
    Phil, Jun 28, 2005
    #31
  12. Phil

    Phil Guest

    The answer is: YES, if you wish to protect your domains with SPF records
    Thank you for clarifying this.

    My next question is: How will I know that my SPF entries are correct? What
    is the method of confirming the accuracy of my work/DNS changes? Consider
    in your answer the fact that 98% of the DNS records on my server belong to
    other domain name holders that are hosted on my server. IOW, I cannot send
    test emails from their accounts for fear that the customer will receive back
    a reply in their Inbox which they will not recognize and will confuse them.


    You missed the word "IF" in my hypothetical question.


    I don't know how to write a script.


    Phil
     
    Phil, Jun 28, 2005
    #32
  13. Phil

    Phil Guest

    There have been some suggestions to combat spam, such
    Phil > I'm once more confused. I assumed Sender ID and SPF
    Phil> were one and the same technology.

    Andrew> There is that option XML component. I don't think
    Andrew> many will jump to use that quite yet, but that's a
    Andrew> possibility.


    "That option XML component"?! Huh?


    If AOL required mail servers to do something special, and then AOL failed to
    provide clear, detailed, simple instructions and tutorials on what is
    required, then "yes" I would "strike" at AOL. I would love to make every
    large ISP's job easier IF they would only make it easy for me to comply with
    what they are asking. That's all that I'm asking.

    I don't know what an MTA is. But regardless, I don't do anything except
    keep an IP blacklist containg mostly Asian IP addresses.

    Phil
     
    Phil, Jun 28, 2005
    #33
  14. Phil

    Phil Guest

    Actually it can be trivial -- if all will use the same "spf record"
    I don't know how to write scripts, so your suggestion doesn't help. Whoops!
    There I go belly-aching and kvetching again.

    Phil
     
    Phil, Jun 28, 2005
    #34
  15. In
    Who is Andrew??
     
    Ace Fekay [MVP], Jun 28, 2005
    #35
  16. In
    Who is Andrew??
    OPTIONAL XML COMPONENT (typo).
    If you read my previous post, I stated in context:
    "...certificate for their MTAs (SMTP servers) to authenticate their mail..."
    It may be beneficial to you and to all of us involved if you read up more
    in-depth about SPF at pobox.com to gain a better understanding of it instead
    of complaining about it. It's new technology, a new method, in the light of
    current spam problems, so all I can say is embrace it, it'll probably
    eventually be defacto.

    Curious, did you have complaints about upgrading to Window 2000 or 2003 when
    it came out?

    Ace
     
    Ace Fekay [MVP], Jun 28, 2005
    #36
  17. In
    I guess this "Andrew" thing is a direct derogatory statement aimed at me.

    Phil, it isn't necessary to trash everyone being upset at an evolving
    industry standard.

    Andrew
     
    Ace Fekay [MVP], Jun 28, 2005
    #37
  18. In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&>
    stated, and I replied below:

    See that, you're starting to make me believe I am actually an Andrew...
     
    Ace Fekay [MVP], Jun 28, 2005
    #38
  19. In
    Sorry about the other posts Andrew about the name confusion. Unless I was
    mistaken, he was quoting me but using your name, and I didn't realize he was
    referring to you until just now.

    My deepest apologies....

    Ace
     
    Ace Fekay [MVP], Jun 28, 2005
    #39
  20. Phil

    Herb Martin Guest

    I don't know that your admission is belly-aching -- if you have 50-200
    domains and cannot program AND don't have a programmer to help you
    it does speak to competence however.

    You really should learn to program (at least a little) -- no admin's
    education is finished until he/she can program basic tasks, and it
    is foolish to try to manage a large number of domains without some
    rudimentary programming skills or a programmer on staff who can
    help.

    Again, if you ask politely for what you need someone might help --
    I know that I have written scripts for people on occassion and frequently
    explain how they can do it themselves.

    Solve the problem -- even if it means you must learn new skills and
    new techniques.
     
    Herb Martin, Jun 28, 2005
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.