SPF record question

Discussion in 'DNS Server' started by Sharad Naik, Sep 13, 2004.

  1. Sharad Naik

    Sharad Naik Guest

    OK, I got my own public DNS server up and have set SPF record. (domain
    names are pfeiffer-vacuum.co.in and pvin.net)

    I want some information / guidence from SPF gurus.

    My mail server sends mail for domains pfeiffer-vacuum.co.in and pvin.net
    (there are also some other domains.)

    However, our main e-mail traffice is from an e-mail address which is on one
    of the biggest ISP's in my country . vsnl.net

    So 90% of us send mail through my mail server, using from address
    ''. (there are total 4-5 different usernames @vsnl.net.

    I tried in SPF record include:vsnl.net
    however the tests shows that if from address is , the SPF
    checking gives test failed.

    Is there any field in SPF record by which one can define that their mail
    server which is for x domain can also send mails using from address of y
    domain?

    Sharad
     
    Sharad Naik, Sep 13, 2004
    #1
    1. Advertisements

  2. In
    You have no control over this, for your mail server to send mail for any
    address @vsnl.net you would have to have the DNS admin for vsnl.net add your
    mail server or your mail server's IP to vsnl.net SPF TXT record. If you are
    going to send mail from then you will need to use the vsnl.net
    SMTP server, or take the chance of having it rejected as a spoofed email
    address.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 13, 2004
    #2
    1. Advertisements

  3. Sharad Naik

    Sharad Naik Guest

    Thanks for reply Kevin.
    I did fear so.
    vsnl.net is having clients in range of 100s of thousands, and I they won't
    entertain my request.
    So I will have to stop using vsnl.net address.
    Only if there was a way to specify particular allowed from addresses though,
    (instead of domains)!!
    Well, any how, nothing can be done and let us hope the SPF business really
    makes the world spam free.

    Sharad
     
    Sharad Naik, Sep 13, 2004
    #3
  4. Sharad Naik

    Sharad Naik Guest

    Kevin, another question, if you know:
    If in the mail clients I set : From: and Reply
    to: then what will happen?

    Unfortunately from the SPF checking sites those I could find, there is no
    option to check as above.

    Sharad
     
    Sharad Naik, Sep 13, 2004
    #4
  5. In
    would be in the from line, but when someone
    replies it will go to it wouldn't be seen as a spoofed
    address.





    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 13, 2004
    #5
  6. Sharad Naik

    Sharad Naik Guest

    Thanks Kevin,
    I think this is atleast a tempoary solution for me.

    Sharad
     
    Sharad Naik, Sep 14, 2004
    #6
  7. No; vsnl.net does not have any SPF records, so anyone can send email
    from any server with a return envelope of <>. This may
    or may not change in the future, depending on how the admins etc feel
    about SPF records at the moment.

    Andrew.
     
    Andrew Hodgson, Sep 14, 2004
    #7
  8. On Mon, 13 Sep 2004 21:03:20 +0530, "Sharad Naik"

    [please see my reply I posted further on in the thread].
    The record you put on pvin.net (there didn't appear to be any SPF
    records for your other domain) are quite long, when defining these you
    really need to look at which mail servers are allowed to send mails,
    you have included other domain MX records in that record, do you know
    the way their mail systems work for example?
    This is due to vsnl.net not having an SPF record, and the fact you
    don't fully understand the ``include'' clause in the SPF record. Say
    if you wanted the machines listed in the MX record for vsnl.net (which
    may or may not be configured to relay mail) to be allowed to send mail
    from pvin.net, then you need to include the vsnl.net domain in the
    include clause for pvin.net, not the other way round, as you have
    stated here.
    No, this is the whole point of SPF records.

    Andrew.
     
    Andrew Hodgson, Sep 14, 2004
    #8
  9. In
    Unfortunate since it would lead to spoofing vsnl.net's name.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Sep 15, 2004
    #9
  10. Sharad Naik

    Sharad Naik Guest

    Do you mean that the SPF check is done on the domain in 'Reply to:' address
    also?

    Sharad
     
    Sharad Naik, Sep 15, 2004
    #10
  11. Sharad Naik

    Sharad Naik Guest

    Hello Andrew,
    The spf record for the other domain is also there,
    since I was still configuring these, when you did look up you might not have
    got it.

    My situation is like this:

    3 domains are in my control, and there are 2 mails server running.

    Domains: pfeiffer-vacuum.co.in, schmalz.co.in and pvin.net

    1. Locaition A: Mail server running on IP 202.71.158.60 PTR resolving to
    pfeiffer-vacuum.co.in
    This server will receive mails for all 3 domain, and will send mails
    from all 3 domains.
    2. Location B: Another mail server running on IP 194.209.139.160, PTR
    resolving to 'unaxis.com' which only sends mails (does not receive
    mails) for all 3 domains.

    Additionally mail server pfeiffer-vacuum.de can send mail for

    Therefore in the SPF record I had user switch a: for all the 3 domains +
    unaxis.com + pfeiffer-vacuum.de
    I had added unaxis.com in swtich a: becuase of confusion and removed it
    now.

    The clients conncting to mail server at Location A can connect from static
    IP addresses
    202.71.158.56/29 & 192.209.139.0/24
    Additionally we have more than 50% roaming users, who will connect to mail
    server at
    Location A using dial up accounts with dynamic IP, from two ISPs, and the
    dyamically
    assigned IP to them can be from 220.224.0.0 to 220.227.255.255 from 1 ISP,
    and 219.64.0.0 to 219.65.255.255 from the other ISP. Therefore my IP4:
    switch has
    become too long
    I don't know how else or if there is any other way to make the SPF record
    shorter.

    Regarding include: switch , yes I had misunderstood it, and removed
    vsnl.net from it.

    Sharad



     
    Sharad Naik, Sep 15, 2004
    #11
  12. In
    No. The rply-to address is only to the benefit of the receiver. You can set
    the reply-to to be different if you are trying to control what address the
    recipient will reply to you to.A good example if hosting multiple domains
    and you can receive mail on multiple addresses, but you want the recipient
    to only reply to a specific address. ANother example is if you are migrating
    domains and want to receive on both, but yet to set the new domain as the
    reply-to address.

    Ace
     
    Ace Fekay [MVP], Sep 15, 2004
    #12
  13. In
    Very true, hence why he has been able to do this for all this time.
     
    Ace Fekay [MVP], Sep 16, 2004
    #13
  14. Sharad Naik

    Sharad Naik Guest

    And this isn't spoofing.

    In my company we want all correspondence, new / or replies, to land on
    single account. Filters then decide to which group / department it should be
    distributed to, and
    if filter is unable to find a match, it gets distributed to everyone. And
    since I do not have a backup mail server as of now, I want that single
    account with a good ISP,
    hence it is with vsnl.net. We have more roaming clients, they check /send
    mail on their laptop connecting to internet by through cell phone / land
    lines, wire less lan,
    what ever possible way. Webmail is not a right solution for us, roaming
    clients can not keep connected to internet all the time and they need to
    read mails / attachments offline,
    or refer back to some received mails/ attachments, offline time to time.
    I don't remember a single unsolicited mail sent by our company since past 8
    years (when it started.) Only bulk messages we have sent
    are informing change of e-mail address / tel nos. and Diwali and Christmas
    greetings, which again are not unsolicited.

    So what's wrong if I been able to do this for all this time and want
    continue to do it?

    As for stopping the spam coming to us, SPAMASSASIN is helping us a lot, note
    more than a couple of spam
    messages a day compared to about 200 + before. I would be happy without my
    mail server doing SPF check
    on incoming messages.

    Whatever I learnt in the past week about SPF, I am more inclined to say that
    it will hardly help in reducing spam
    and will make one miss solicited mails.

    Sharad

    "Ace Fekay [MVP]"
     
    Sharad Naik, Sep 16, 2004
    #14
  15. In
    You are probably correct, it does mean that spam _will_ have to come from a
    mail server that is valid to receive mail for the mail domain if SPF is
    enforced by the accepting SMTP server. It does not mean that the user mail
    box is valid.
    There is no one answer to reduce spam, it is going to take a concerted
    effort by mail server administrators to not only enforce SPF, they should
    shut down open relay mail servers and verifying legitimate senders of bulk
    email.
    The biggest problem is that much of the bulk unsolicited email originates
    from outside your national borders where spammers are not restricted.
    Not really, I would expect anyone sending mail to me to use a valid email
    address from a mail server authorized to send mail for the email address.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 16, 2004
    #15
  16. Sharad Naik

    Sharad Naik Guest

    Please see in between the lines:
    True. And for sincere spammers SPF implemention will not bother much.
    OK. Just as an example, next week I will be in switzerland and the hotel I
    booked
    confirm that I will have a wireless lan access to internet.
    I tried to get there range of IP addresses but in vain. (They could not
    understand
    my questions, and they simply don't know what is an IP address.)
    So from my laptop I can send mail using my smtp server but though I myself
    am responsible for managing my spf record, I simply don't know which subnet
    to add in the spf record for myself to enable to send mail.

    So isn't it like people whom I will try to send mail, will miss my mails,
    if they have
    adopted spf checking in their mail systems?

    Of course once I am there I will find out their subnet and incluce it in my
    spf when I am
    back. But what abt when next time I visit France, Germany, SA?
    Or even if I visit Swiss in the same hotel and they have changed their ISP?

    Sharad
     
    Sharad Naik, Sep 16, 2004
    #16
  17. In
    So your saying that your laptop has an SMTP server?
    If not then you are OK because you send mail to your mail server, which in
    turn sends the email. Most SMTP servers will allow you to send mail from
    anywhere as long as you can Authenticate to it. The IP address restriction
    is not for client IP addresses, only mail host IP addresses.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 17, 2004
    #17
  18. Sharad Naik

    Sharad Naik Guest

    I had completely misunderstood the 'ip4:' part, thought it was for the
    client IP addresses.
    No, I don't intend to run SMTP server on the laptop.
    All roaming clients use only one of the two smtp servers.
    I had unnecessarily included, possible client IP addresses subnets in the
    spf record in ip4: switch.

    Thanks Kevin and yes now I agree it will not make one miss legitimate mail
    as long
    as sent through proper from address and mail server.

    Sharad
     
    Sharad Naik, Sep 17, 2004
    #18
  19. In
    The reason for the IP4 part is some ISP's, I think AOL included allow host
    names like user.aol.com which would allow you to set up a email address at
    .



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 17, 2004
    #19
  20. In

    I'm sorry for the misunderstanding. I didn't say you were spoofing. I was
    just saying the company allowing this can lead themselves for others to
    spoof their domain.

    Ace
     
    Ace Fekay [MVP], Sep 18, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.