SPF record question

Discussion in 'DNS Server' started by Sharad Naik, Sep 13, 2004.

  1. In

    I wanted to double check this. I found that the IP4 entry just identifies
    the type of IP range after it. IP4 designates a CIDR address, IP4/cidr
    designates a CIDR subnet, and IP6 designates it as an IPv6 address. The
    first two links below are nice links explaining it.

    How to define an SPF record and its paramters:
    http://www.zytrax.com/books/dns/ch9/spf.html

    SPF Mechanism Syntax:
    http://spf.pobox.com/mechanisms.html

    http://archives.listbox.com//200406/0626.html

    AOL's take on SPF:
    http://postmaster.aol.com/spf/details.html


    Ace
     
    Ace Fekay [MVP], Sep 18, 2004
    #21
    1. Advertisements

  2. In Kevin D. Goodknecht Sr. [MVP] <> made a post then I
    commented below

    <snip>

    Kevin, have you seen this link? Its pretty good...

    An Interview with the Lead Developer of SPF - Part I:
    http://www.circleid.com/article/634_0_1_0_C/
     
    Ace Fekay [MVP], Sep 18, 2004
    #22
    1. Advertisements

  3. In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&>
    wrote their comments
    Then Kevin replied below:
    I think Sharad question was whether he would be able to send and receive
    mail if he was connected through another ISP that has an IP address not in
    the range listed in his SPF record.
    This is the IP of mail hosts, not clients. I don't think it restricts the IP
    of the client. Some ISPs register a host record in DNS using your username
    when you connect. You could run an SMTP like the one built into IIS to send
    your mail through instead of sending through your ISP. This type of SMTP
    host does not require an MX record to send or receive mail as long as you
    use the host name in the email address like . years
    back I ran an SMTP host like that and because my ISP registered a host
    record in their DNS for my username, as long as I used
    I could send and receive mail without relaying through their mail server.
    If SPF were in use back then, I would have been able to send and receive
    mail directly as long as I dialed in to my ISP because my host would have
    been in the IP4 range listed in the SPF. This is didn't even require me to
    have a static IP because my hostname was dynamically registered in their
    DNS.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 18, 2004
    #23
  4. Sharad Naik

    Sharad Naik Guest

    I fourse knew what you meant,
    And gave my example, for there would be many such cases.
    No need to say sorry Ace.
    Sharad
    "Ace Fekay [MVP]"
     
    Sharad Naik, Sep 18, 2004
    #24
  5. Sharad Naik

    Sharad Naik Guest

    Well, from the links given by ace, you could use CDIR in a:domainname/CIDR
    too.
    The usefullness apart from what you mentioned in below post could for people
    who run relay servers for load balancing. (The main smtp server is set to
    use conditional smart server, running only for relay purpose. And these
    relay servers would be anywhere in the subnet specified.)

    Sharad
     
    Sharad Naik, Sep 18, 2004
    #25
  6. In
    I don't think so either. That would be a server setting to allow relaying
    for a POP or IMAP client.
    That sounds like something I was playing around with when I was connected
    thru Earthlink years ago. :)

    Ace
     
    Ace Fekay [MVP], Sep 20, 2004
    #26
  7. In
    Thanks Sharad!
    :)
     
    Ace Fekay [MVP], Sep 20, 2004
    #27
  8. On Fri, 17 Sep 2004 00:00:12 +0530, "Sharad Naik"

    [...]
    If you do this often you may wish to look into getting authenticated
    SMTP set up on your server. You also don't know if the provider has
    an SMTP relay to which you can pipe mail through, or whether you have
    to make alternative arangements.
    This wasn't really the idea of the SPF record.
    Which is why I only pay SPF lip service by creating a simple SPF
    record which fits our needs, but don't do SPF checking on the MTA.
    This is why SPF could be an issue for you. You are just adding
    subnets to the SPF record (see previous post I made on this topic),
    which will graduately reduce the usefulness of that record.

    Andrew.
     
    Andrew Hodgson, Sep 21, 2004
    #28
  9. No; the check is done on the envelope which is sent before any mail
    header gets sent to the server. Theoretically you could send mail
    with any From: line and Reply-To: line, so long as the return envelope
    passed the SPF check if the MTA checked for the SPF record.

    Andrew.
     
    Andrew Hodgson, Sep 21, 2004
    #29
  10. Personally after reading several articles on the recent state of SPF I
    am inclined to just delete my SPF records. That way, no MTA will have
    anything to go on.

    Andrew.
     
    Andrew Hodgson, Sep 21, 2004
    #30
  11. I think where the confusion is coming from is the term ``SMTP
    client'', this is the client/relay server pushing the message to
    another SMTP server. If say I was on ip address 1.2.3.4, and had an
    SPF record for domain.com, if that IP/subnet was in the record, I
    could send messages from that IP/subnet. So, if all users send mail
    through the same SMTP selay server, you only need to have entries in
    the SPF record relating to the IP details of that server.

    For example, I read/reply to mail from all over the place, however, my
    SPF record just says that my A record is allowed to send mail on
    behalf of hodgsonfamily.org, since this is the only mail I _ever_ send
    legitimate mail through.

    If you think of adding entries to the SPF record like punching holes
    through firewalls, you may perhaps think differently about including
    all those subnets.
    Then you only need add the IP details for these to the SPF records.
    No need to do that unless the machines connected to the IP addresses
    themselves connect directly to MX machines.

    Andrew.
     
    Andrew Hodgson, Sep 23, 2004
    #31
  12. If the _client_ relays through a server which is included in the SPF
    record, then no.
    Yes, this is kind of like how Demon run things even today, except they
    control the MX for hostname.demon.co.uk and send it to their own
    machines.
    Assuming they just didn't permit their relay servers to send mail on
    behalf of your subdomain. Actually, in this instance, SPF would have
    been a nightmare, since you would have had to create SPF records for
    each subdomain.
    Long DNS caching could have been an issue, though.

    Andrew.
     
    Andrew Hodgson, Sep 23, 2004
    #32
  13. As you have discovered later we are talking about server IP addresses
    here not client IP addresses.
    Again, the client IP addresses are not the issue. Are they sending
    mail out through those three mail servers above, using authenticated
    relay or other permissions?
    Indeed. Again, read the above paragraph, if all those users are
    sending out mail through those two mail servers above, then those two
    are all that is needed in the SPF record. Since it will be the mail
    server that makes the eventual connection to the server that may do
    the SPF lookup, the remote MTA won't even know the IP of your users.

    ANdrew.
     
    Andrew Hodgson, Sep 23, 2004
    #33
  14. In
    I can see if SPF was in existence years ago it would have caused issues. It
    was interesting back then, but more so now, obviously!

    :)

    Ace
     
    Ace Fekay [MVP], Sep 24, 2004
    #34
  15. Sharad Naik

    Sharad Naik Guest

    Yes, authenticated relay.
    Thanks Andrew, Earlier I had lots of confusion, but it is clear now.

    Sharad
     
    Sharad Naik, Sep 24, 2004
    #35
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.