SPF record confusion

Hello!

I have been reading about SPF records all afternoon. Depending upon which
SPF tool is used to create the record, I have ended with the several
different SPF records noted below. I am running a single SBS 2003 SP1 server
with Exchange SP2, static IP address, PTR set up with ISP, MX and A records.

SPF records via Microsoft SPF Wizard at
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

v=spf1 mx ip4:xxx.xxx.xxx.xxx ptr:mail.mydomain.net
mx:mail.mydomain.net -all

v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all



SPF records via wizard at https://openspf.org

v=spf1 mx ip4:xxx.xxx.xxx.xxx ptr:mail.mydomain.net
mx:mail.mydomain.net -all

v=spf1 ip4:xxx.xxx.xxx.xxx a mx mx:mail.mydomain.net ~all

v=spf1 ip4:xxx.xxx.xxx.xxx -all




What do I really need to have? It seems as though

v=spf1 ip4:xxx.xxx.xxx.xxx -all

should be all I need. Why are all the other options presented? What do they
all mean?

Thank you for helping an SPF noob.

Gregg Hill

 

Thanks for posting your question here.

As you have probably discovered the format for SPF records can vary greatly
depending on the version of SPF Record you choose to create (version 1 or
2) and on the options that you chose when you ran the wizard. Hopefully I
can shed some light on the topic here.

There are 2 versions of SPF records, 1 and 2 (go figure!). Each version is
associated with a different set of message headers from which the PRA
(Purported Responsible Address) can be determined. The PRA is simply who
the sender CLAIMS to be. Each version and set of message headers is
associated with a different RFC that defines the headers for that portion
of the message and you will see terms for each of these used almost
interchangably to describe them.

- SPF1 / RFC8281 / "Mail From"

SPF1 records are intended to be read, interpreted, and acted upon by
a receiving mail server that relies on determining the PRA from the address
specified in the "Mail From" command in the SMTP dialog. The "Mail From"
command is defined in RCF8281 along with other SMTP commands like EHLO,
"Rcpt To", Data, etc.


- SPF2 / RFC8222 / "PRA"

SPF2 records are intended to be read, interpreted, and acted upon by
a receiving mail server that relies on determining the PRA from the address
specified in one of the following SMTP commands: Sender, From,
Resent-Sender, and Resent-From. These header commands are defined in
RFC2822. These are the SMTP dialog commands that are entered after the
"Data" command, which is one of the RFC2821 commands. In some SenderId
discussions and documents the sender in these headers is also referred to
as the "PRA". But PRA can also be used in general terms to refer to the
supposed sender of the message.

You will notice that the format of SPF1 and SPF2 records is different to
make it more "interesting". Don't concern yourself with the format much as
long as you have chosen the right options in the wizard.

If a receiving mail server like Exchange 2003 SP2 finds an SPF2 record in
the DNS zone of the purported sending domain, it uses it for senderid
verification. If one does not exist, it looks for an SPF1 record and uses
that. If that does not exist either, it doesn't usually fail verification
but rather passes the fact that it could not find it on to the IMF and then
the IMF uses that info to assist in determining the SCL (Spam Confidence
Level) of the message.

In short, you don't really need any SPF records at all, but if you want to
reduce the likelihood that messages sent from your domain will wind up in
someone's junk mail folder, then I would BOTH types. It does not hurt to
have both as discussed above. The receiver will look for the version(s)
that it supports.

Keep in mind that one of the purposes of senderid is to protect your
customers and your reputation by reducing the chance that a malicious
entity will send email as your organization and then prompt innocent
victims for personal information or direct them to a malicious website.

One other note...the wizard at
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
seems broken right now. If you choose to create both kinds of records it
only creates an SPF1 record, whereas if you choose to create only SPF1/Mail
From/RFC2821 it creates both.

My advice to you...choose the option on that wizard to create the one for
RFC2821 (effectively creating both) then send those to your ISP or add them
to your own public DNS zone as TXT records.

Another note, the above wizard gives you A LOT of options. In a small
business server scenario I would keep it simple and choose to create
records for IPs for which you have MX records. That is, check the box
labeled "Domain's inbound servers may send mail". Because most likely in
SBS your outbound mail server is also your inbound mail server. But if you
choose the option in SBS to forward outbound through a smarthost, then you
might want to also choose the option to add your ISPs domain or outbound
mail server IP addresses since they will essentially sending mail on your
behalf.

I know this is a lot to digest. Let us know if you have any additional
questions about this.

Jim Martin - (MSFT)

Microsoft Corporation

 

Jim,

Thank you for the information. I have a backup mail service through my DNS
host, zoneedit.com, so there are technically two inbound mail servers,
correct? I assume that would mean that I would NOT check the box for
"Domain's inbound servers may send mail," since the backup one only holds
mail if mine is down.

My reason for the SPF is to prevent spoofing of my domain, and eventually,
my clients' domains.

The options I am using are:

"Domain Not Used for Sending E-Mail"
No mail is sent from domain = Unchecked


"Inbound Mail Servers Send Outbound Mail"
Domain's inbound servers may send mail = Checked
mail.mydomain.net = Checked
mx2.zoneedit.com = Unchecked


"Outbound Mail Server Addresses"
All addresses listed in A records may send mail = Unchecked
xxx.xxx.xxx.xxx = Checked
No additional IP addresses entered
No additional domains listed


"Reverse DNS Lookup"
All PTR records resolve to outbound email servers = Checked


"Outsourced Domains"
None


"Default"
No; this domain sends mail only from the IP addresses identified above. =
Checked


"Scope"
With all things the same above except for changing the choice in the Scope,
I get the following results.

Scope choice #1 "The Purported Responsible Address (PRA) derived from RFC
2822 message headers" results in this output:
spf2.0/pra mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

Scope choice #2 "The MAIL FROM (or reverse-path) address derived from the
RFC 2821 protocol's MAIL command" results in this output:
v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all
and
spf2.0/pra ?all

Scope choice #3 for "Both" results in this output:
v=spf1 mx ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all


So if I choose Scope option 2 or 3, the SPF1 record comes out the same, but
if I choose Scope option 1, the SPF2 record is different than it is in Scope
option 2. Why?

Then if I change the "Inbound Mail Servers Send Outbound Mail" to be:
Domain's inbound servers may send mail = UNchecked

I get the following

Scope choice #1:
spf2.0/pra ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

Scope choice #2:
v=spf1 ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all
spf2.0/pra ?all

Scope choice #3:
v=spf1 ptr ip4:xxx.xxx.xxx.xxx mx:mail.mydomain.net -all

It certainly creates a wide variety of records. One site that I found said
that all that is needed for a single mail server such as SBS is to have this
SPF:
v=spf1 ip4:xxx.xxx.xxx.xxx -all


In case you haven't guessed, I am still confused! Could it be as simple as
using "v=spf1 ip4:xxx.xxx.xxx.xxx -all"? Is there any benefit to having the
ptr and mx specified?

Thank you again!

Gregg Hill

 

Don't feel bad, Gregg. It can be a confusing topic.

The benefit of specifying MX and PTR is that your implementation is more
dynamic. If you just specify "v=spf1 ip4:xxx.xxx.xxx.xxx -all" then if
your public IP address ever changes you will have to change the SPF
record(s) manually whereas specifying MX says any server IP that has an MX
record in my DNS zone is a valid sending mail server. In small
implementations that isn't that big of a deal but for large organizations
it can save you a whole lot of adminstrative effort. If you only have the
one public IP and you have an MX record for that, then I would keep it
simple and only choose the MX option (forget about the explicit IP
address).

As far your backup mail server, if it is only used for inbound mail then
that won't play a role in the creation of your SPF records...it is only
outbound mail servers you are concerned about when it comes to creating
your SPF records. You only need to be concerned about your ISP's mail
servers if you are using them as a Smart Host to relay email to the
Internet. If that is the case, then contact them and they should be able
to tell you SPF record requirements for their outbound mail servers
(whether by domain, IP, etc.).

Also, I would create both SPF1 and SPF2 (Scope choice #2). You want to
give any receiving mail server as many chances as possible to verify that
you are who you say you are and that the bad guys aren't.

I don't see any options that you have chosen as potentially problematic.
Keep in mind that all of the options except for the first one ("Domain Not
Used for Sending E-Mail") are additive and don't tend to take away from the
verification options. So generally there isn't such a thing as too much in
this case except that it just makes it more complex to sort through what
you have created after the fact.

Here is what I would do: Run through the wizard and only choose the MX
option and scope choice 2. Make sure it creates spf1 in one window and
spf2 in a second. Add those to your zone. Wait for DNS to replicate to
other DNS servers on the Internet (generally 1-2 days). From your domain
send an email to 25.com . They will respond to you
with a report that analyzes your SPF record implentation.

Also, add the SenderId column to your inbox and/or junk mail folder in
Outlook running on a DIFFERENT domain that is running Exchange 2003 SP2
with SenderID verification enabled. Here is the link on how to do that.

http://msexchangeteam.com/archive/2005/10/13/412487.aspx

Once you have done that, send some test emails from the domain for which
you created the SPF records to the domain on which you configured Outlook
and enabled SenderId verification. The value in the SenderId column will
be one of the following:

1 = Neutral
2 = Pass
3 = Fail
4 = Soft Fail
5 = None
80000006 (-2147483654) = Temp_Error
80000007 (-2147483655) = Perm_Error

You want the test messages you sent to show a value of 2, meaning that the
receiving mail server was able to find the desired SPF records and use them
to confirm that the sender was authorized to send mail on behalf of that
domain.

One more note, BEFORE you turn on SenderID validation on Exchange, please
apply hotfixes 905214 and 918283.

By the way, you might want to search for "senderid" on the Exchanmge blog
site mentioned above to get more info on SenderId.

Good luck!

Jim Martin - (MSFT)

Microsoft Corporation

 

Jim,

I think I will just use the MX option as you suggested. One
question...should I use the mail server's name or just the domain name?

If I understand correctly, using

v=spf1 mx:mydomain.net -all

will mark all servers listed in MX records as being allowed to send, while
using

v=spf1 mx:mail.mydomain.net -all

will mark only my actual mail server as being allowed to send, and would not
include the mx2.zoneedit.com server.

Is that correct?

Gregg Hill

 

Jim,

I found this page http://www.kitterman.com/spf/validate.html that lets one
test an SPF record. It does not test version 2 yet.

I tested the following SPF records:

1) v=spf1 mx:mail.mydomain.net -all

2) v=spf1 mx -all

3) v=spf1 mx:mydomain.net -all

4) v=spf1 a:mail.mydomain.net -all

Only the last three returned a passing score, but I think that #2 and #3
would approve all MX record holders, even the mx2.zoneedit.com server.

So, in order to approve only my mail server and not the mx2.zoneedit.com
backup mail server, it looks as though my SPF should read

v=spf1 a:mail.mydomain.net -all

so that only a server matching the A record of mine will be valid.

Do you agree?

Gregg Hill