SPF record confusion

Discussion in 'Windows Small Business Server' started by Gregg Hill, Feb 21, 2007.

  1. Gregg Hill

    Gregg Hill Guest

    Hello!

    I have been reading about SPF records all afternoon. Depending upon which
    SPF tool is used to create the record, I have ended with the several
    different SPF records noted below. I am running a single SBS 2003 SP1 server
    with Exchange SP2, static IP address, PTR set up with ISP, MX and A records.

    SPF records via Microsoft SPF Wizard at
    http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

    v=spf1 mx ip4:xxx.xxx.xxx.xxx ptr:mail.mydomain.net
    mx:mail.mydomain.net -all

    v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all



    SPF records via wizard at https://openspf.org

    v=spf1 mx ip4:xxx.xxx.xxx.xxx ptr:mail.mydomain.net
    mx:mail.mydomain.net -all

    v=spf1 ip4:xxx.xxx.xxx.xxx a mx mx:mail.mydomain.net ~all

    v=spf1 ip4:xxx.xxx.xxx.xxx -all




    What do I really need to have? It seems as though

    v=spf1 ip4:xxx.xxx.xxx.xxx -all

    should be all I need. Why are all the other options presented? What do they
    all mean?

    Thank you for helping an SPF noob.

    Gregg Hill
     
    Gregg Hill, Feb 21, 2007
    #1
    1. Advertisements

  2. Thanks for posting your question here.

    As you have probably discovered the format for SPF records can vary greatly
    depending on the version of SPF Record you choose to create (version 1 or
    2) and on the options that you chose when you ran the wizard. Hopefully I
    can shed some light on the topic here.

    There are 2 versions of SPF records, 1 and 2 (go figure!). Each version is
    associated with a different set of message headers from which the PRA
    (Purported Responsible Address) can be determined. The PRA is simply who
    the sender CLAIMS to be. Each version and set of message headers is
    associated with a different RFC that defines the headers for that portion
    of the message and you will see terms for each of these used almost
    interchangably to describe them.

    - SPF1 / RFC8281 / "Mail From"

    SPF1 records are intended to be read, interpreted, and acted upon by
    a receiving mail server that relies on determining the PRA from the address
    specified in the "Mail From" command in the SMTP dialog. The "Mail From"
    command is defined in RCF8281 along with other SMTP commands like EHLO,
    "Rcpt To", Data, etc.


    - SPF2 / RFC8222 / "PRA"

    SPF2 records are intended to be read, interpreted, and acted upon by
    a receiving mail server that relies on determining the PRA from the address
    specified in one of the following SMTP commands: Sender, From,
    Resent-Sender, and Resent-From. These header commands are defined in
    RFC2822. These are the SMTP dialog commands that are entered after the
    "Data" command, which is one of the RFC2821 commands. In some SenderId
    discussions and documents the sender in these headers is also referred to
    as the "PRA". But PRA can also be used in general terms to refer to the
    supposed sender of the message.

    You will notice that the format of SPF1 and SPF2 records is different to
    make it more "interesting". Don't concern yourself with the format much as
    long as you have chosen the right options in the wizard.

    If a receiving mail server like Exchange 2003 SP2 finds an SPF2 record in
    the DNS zone of the purported sending domain, it uses it for senderid
    verification. If one does not exist, it looks for an SPF1 record and uses
    that. If that does not exist either, it doesn't usually fail verification
    but rather passes the fact that it could not find it on to the IMF and then
    the IMF uses that info to assist in determining the SCL (Spam Confidence
    Level) of the message.

    In short, you don't really need any SPF records at all, but if you want to
    reduce the likelihood that messages sent from your domain will wind up in
    someone's junk mail folder, then I would BOTH types. It does not hurt to
    have both as discussed above. The receiver will look for the version(s)
    that it supports.

    Keep in mind that one of the purposes of senderid is to protect your
    customers and your reputation by reducing the chance that a malicious
    entity will send email as your organization and then prompt innocent
    victims for personal information or direct them to a malicious website.

    One other note...the wizard at
    http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
    seems broken right now. If you choose to create both kinds of records it
    only creates an SPF1 record, whereas if you choose to create only SPF1/Mail
    From/RFC2821 it creates both.

    My advice to you...choose the option on that wizard to create the one for
    RFC2821 (effectively creating both) then send those to your ISP or add them
    to your own public DNS zone as TXT records.

    Another note, the above wizard gives you A LOT of options. In a small
    business server scenario I would keep it simple and choose to create
    records for IPs for which you have MX records. That is, check the box
    labeled "Domain's inbound servers may send mail". Because most likely in
    SBS your outbound mail server is also your inbound mail server. But if you
    choose the option in SBS to forward outbound through a smarthost, then you
    might want to also choose the option to add your ISPs domain or outbound
    mail server IP addresses since they will essentially sending mail on your
    behalf.

    I know this is a lot to digest. Let us know if you have any additional
    questions about this.

    Jim Martin - (MSFT)

    Microsoft Corporation
     
    Jim Martin [MSFT], Feb 21, 2007
    #2
    1. Advertisements

  3. Gregg Hill

    Gregg Hill Guest

    Jim,

    Thank you for the information. I have a backup mail service through my DNS
    host, zoneedit.com, so there are technically two inbound mail servers,
    correct? I assume that would mean that I would NOT check the box for
    "Domain's inbound servers may send mail," since the backup one only holds
    mail if mine is down.

    My reason for the SPF is to prevent spoofing of my domain, and eventually,
    my clients' domains.

    The options I am using are:

    "Domain Not Used for Sending E-Mail"
    No mail is sent from domain = Unchecked


    "Inbound Mail Servers Send Outbound Mail"
    Domain's inbound servers may send mail = Checked
    mail.mydomain.net = Checked
    mx2.zoneedit.com = Unchecked


    "Outbound Mail Server Addresses"
    All addresses listed in A records may send mail = Unchecked
    xxx.xxx.xxx.xxx = Checked
    No additional IP addresses entered
    No additional domains listed


    "Reverse DNS Lookup"
    All PTR records resolve to outbound email servers = Checked


    "Outsourced Domains"
    None


    "Default"
    No; this domain sends mail only from the IP addresses identified above. =
    Checked


    "Scope"
    With all things the same above except for changing the choice in the Scope,
    I get the following results.

    Scope choice #1 "The Purported Responsible Address (PRA) derived from RFC
    2822 message headers" results in this output:
    spf2.0/pra mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

    Scope choice #2 "The MAIL FROM (or reverse-path) address derived from the
    RFC 2821 protocol's MAIL command" results in this output:
    v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all
    and
    spf2.0/pra ?all

    Scope choice #3 for "Both" results in this output:
    v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all


    So if I choose Scope option 2 or 3, the SPF1 record comes out the same, but
    if I choose Scope option 1, the SPF2 record is different than it is in Scope
    option 2. Why?

    Then if I change the "Inbound Mail Servers Send Outbound Mail" to be:
    Domain's inbound servers may send mail = UNchecked

    I get the following

    Scope choice #1:
    spf2.0/pra ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

    Scope choice #2:
    v=spf1 ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all
    spf2.0/pra ?all

    Scope choice #3:
    v=spf1 ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

    It certainly creates a wide variety of records. One site that I found said
    that all that is needed for a single mail server such as SBS is to have this
    SPF:
    v=spf1 ip4:xxx.xxx.xxx.xxx -all


    In case you haven't guessed, I am still confused! Could it be as simple as
    using "v=spf1 ip4:xxx.xxx.xxx.xxx -all"? Is there any benefit to having the
    ptr and mx specified?

    Thank you again!

    Gregg Hill
     
    Gregg Hill, Feb 21, 2007
    #3
  4. Don't feel bad, Gregg. It can be a confusing topic.

    The benefit of specifying MX and PTR is that your implementation is more
    dynamic. If you just specify "v=spf1 ip4:xxx.xxx.xxx.xxx -all" then if
    your public IP address ever changes you will have to change the SPF
    record(s) manually whereas specifying MX says any server IP that has an MX
    record in my DNS zone is a valid sending mail server. In small
    implementations that isn't that big of a deal but for large organizations
    it can save you a whole lot of adminstrative effort. If you only have the
    one public IP and you have an MX record for that, then I would keep it
    simple and only choose the MX option (forget about the explicit IP
    address).

    As far your backup mail server, if it is only used for inbound mail then
    that won't play a role in the creation of your SPF records...it is only
    outbound mail servers you are concerned about when it comes to creating
    your SPF records. You only need to be concerned about your ISP's mail
    servers if you are using them as a Smart Host to relay email to the
    Internet. If that is the case, then contact them and they should be able
    to tell you SPF record requirements for their outbound mail servers
    (whether by domain, IP, etc.).

    Also, I would create both SPF1 and SPF2 (Scope choice #2). You want to
    give any receiving mail server as many chances as possible to verify that
    you are who you say you are and that the bad guys aren't.

    I don't see any options that you have chosen as potentially problematic.
    Keep in mind that all of the options except for the first one ("Domain Not
    Used for Sending E-Mail") are additive and don't tend to take away from the
    verification options. So generally there isn't such a thing as too much in
    this case except that it just makes it more complex to sort through what
    you have created after the fact.

    Here is what I would do: Run through the wizard and only choose the MX
    option and scope choice 2. Make sure it creates spf1 in one window and
    spf2 in a second. Add those to your zone. Wait for DNS to replicate to
    other DNS servers on the Internet (generally 1-2 days). From your domain
    send an email to 25.com . They will respond to you
    with a report that analyzes your SPF record implentation.

    Also, add the SenderId column to your inbox and/or junk mail folder in
    Outlook running on a DIFFERENT domain that is running Exchange 2003 SP2
    with SenderID verification enabled. Here is the link on how to do that.

    http://msexchangeteam.com/archive/2005/10/13/412487.aspx

    Once you have done that, send some test emails from the domain for which
    you created the SPF records to the domain on which you configured Outlook
    and enabled SenderId verification. The value in the SenderId column will
    be one of the following:

    1 = Neutral
    2 = Pass
    3 = Fail
    4 = Soft Fail
    5 = None
    80000006 (-2147483654) = Temp_Error
    80000007 (-2147483655) = Perm_Error

    You want the test messages you sent to show a value of 2, meaning that the
    receiving mail server was able to find the desired SPF records and use them
    to confirm that the sender was authorized to send mail on behalf of that
    domain.

    One more note, BEFORE you turn on SenderID validation on Exchange, please
    apply hotfixes 905214 and 918283.

    By the way, you might want to search for "senderid" on the Exchanmge blog
    site mentioned above to get more info on SenderId.

    Good luck!

    Jim Martin - (MSFT)

    Microsoft Corporation
     
    Jim Martin [MSFT], Feb 22, 2007
    #4
  5. Gregg Hill

    Gregg Hill Guest

    Jim,

    I think I will just use the MX option as you suggested. One
    question...should I use the mail server's name or just the domain name?

    If I understand correctly, using

    v=spf1 mx:mydomain.net -all

    will mark all servers listed in MX records as being allowed to send, while
    using

    v=spf1 mx:mail.mydomain.net -all

    will mark only my actual mail server as being allowed to send, and would not
    include the mx2.zoneedit.com server.

    Is that correct?

    Gregg Hill
     
    Gregg Hill, Feb 25, 2007
    #5
  6. Gregg Hill

    Gregg Hill Guest

    Jim,

    I found this page http://www.kitterman.com/spf/validate.html that lets one
    test an SPF record. It does not test version 2 yet.

    I tested the following SPF records:

    1) v=spf1 mx:mail.mydomain.net -all

    2) v=spf1 mx -all

    3) v=spf1 mx:mydomain.net -all

    4) v=spf1 a:mail.mydomain.net -all

    Only the last three returned a passing score, but I think that #2 and #3
    would approve all MX record holders, even the mx2.zoneedit.com server.

    So, in order to approve only my mail server and not the mx2.zoneedit.com
    backup mail server, it looks as though my SPF should read

    v=spf1 a:mail.mydomain.net -all

    so that only a server matching the A record of mine will be valid.

    Do you agree?

    Gregg Hill
     
    Gregg Hill, Feb 25, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.