James R. Marcus | 12 Feb 20:24 2010

More detail on subdomains

Yesterday I changed completely our SPF record to -all from ~all.  I started reading the common mistakes
section of the website and wasn't completely sure about this part

"Publish null SPF records for your domains that don't send mail
Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first
thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain
sends no mail. As an example, you might publish:

example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
mail.example.com.  IN  TXT  "v=spf1 a -all"
www.example.com.   IN  TXT  "v=spf1 -all"
"

Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?

I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from
username <at> www.edhance.com, do I just add this:
www.edhance.com IN TXT "v=spf1 -all"

thanks,
James

Gino Cerullo | 12 Feb 20:41 2010

Re: More detail on subdomains

On 12-Feb-10, at 2:24 PM, James R. Marcus wrote:

> Yesterday I changed completely our SPF record to -all from ~all.  I  
> started reading the common mistakes section of the website and  
> wasn't completely sure about this part
>
> "Publish null SPF records for your domains that don't send mail
> Once you've protected your mail sending domains with SPF, if someone  
> is trying to spoof you, then first thing they will try is to spoof  
> your non-mail sending domains. Publishing "v=spf1 -all" says that a  
> domain sends no mail. As an example, you might publish:
>
> example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
> mail.example.com.  IN  TXT  "v=spf1 a -all"
> www.example.com.   IN  TXT  "v=spf1 -all"
> "
>
> Are there a list of common subdomains I'm supposed to add TXT  
> records for or just just simple ones I can think of?

No! What you want to do is create an SPF policy for any domain/host  
name that has an 'A' record only!

For example, if you don't have the host name, 'ftp.edhance.com' then  
why created a SPF policy for it? Just because 'ftp' is common doesn't  
mean you create a policy for it.

> I have shutdown SMTP access to all but my to relay servers on the  
> network. But if I don't want email to come from username <at> www.edhance.com 
> , do I just add this:
(Continue reading)

alan | 12 Feb 21:09 2010
Picon

Re: More detail on subdomains

At 19:24 12/02/2010  Friday, James R. Marcus wrote:
>Yesterday I changed completely our SPF record to -all from ~all.  I started reading the common mistakes
section of the website and wasn't completely sure about this part
>
>"Publish null SPF records for your domains that don't send mail
>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first
thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain
sends no mail. As an example, you might publish:
>
>example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
>mail.example.com.  IN  TXT  "v=spf1 a -all"
>www.example.com.   IN  TXT  "v=spf1 -all"
>"
>
>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?

no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
{any domains without an A or MX record will already be rejected by most mail-recievers}

but i would point out from looking at you mail to the list that your server actually sends with the name
relay1.edhance.com (relay1.edhance.com [67.110.143.100

so you MUST have
relay1.edhance.com.  IN TXT "v=spf1 a -all"
or
relay1.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.100 -all"

if you want to be kinder to us all and save us the extra lookups

if you have a second machine sending as mail.edhance.com the above is fine IF not you can set
(Continue reading)

James R. Marcus | 12 Feb 21:38 2010

Re: More detail on subdomains

Okay
I'll set an SPF to tell the world not accept email from <at> www.edhance.com with www.edhance.com  IN TXT "v=spf1 -all" correct?
The part that I'm not quite clear on is the part with the relay hosts. The relay hosts relay1.edhance.com and relay0.edhance.com don't have txt record but they are in the edhance.com TXT record.  To be extra safe should I add a txt record for each of the relays like this: relay1.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.100 -all" & relay0.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.99 -all"?

Thanks,
James





On Feb 12, 2010, at 3:09 PM, alan wrote:

At 19:24 12/02/2010  Friday, James R. Marcus wrote:
Yesterday I changed completely our SPF record to -all from ~all.  I started reading the common mistakes section of the website and wasn't completely sure about this part

"Publish null SPF records for your domains that don't send mail
Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain sends no mail. As an example, you might publish:

example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
mail.example.com.  IN  TXT  "v=spf1 a -all"
www.example.com.   IN  TXT  "v=spf1 -all"
"

Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can think of?

no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
{any domains without an A or MX record will already be rejected by most mail-recievers}

but i would point out from looking at you mail to the list that your server actually sends with the name
relay1.edhance.com (relay1.edhance.com [67.110.143.100

so you MUST have
relay1.edhance.com.  IN TXT "v=spf1 a -all"
or
relay1.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.100 -all"

if you want to be kinder to us all and save us the extra lookups

if you have a second machine sending as mail.edhance.com the above is fine IF not you can set mail.edhance.com to v=spf1 -all



I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come from username <at> www.edhance.com, do I just add this:
www.edhance.com IN TXT "v=spf1 -all"

exactly {this dosn't stop mail comming from xxx <at> domain, it just enables receivers to tell it is obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}


thanks,
James





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

:: James R. Marcus | Director, IT Operations
:: 
Edhance jmarcus <at> edhance.com 
:: v: 617-475-5360 | m: 914-772-8533
:: web: 
www.edhance.com

Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/

Archives
alan | 12 Feb 22:40 2010
Picon

Re: More detail on subdomains

At 20:38 12/02/2010  Friday, James R. Marcus wrote:
>Okay
>I'll set an SPF to tell the world not accept email from  <at> www.edhance.com with
<http://www.edhance.com>www.edhance.com  IN TXT "v=spf1 -all" correct?

yup

>The part that I'm not quite clear on is the part with the relay hosts. The relay hosts
<http://relay1.edhance.com>relay1.edhance.com and
<http://relay0.edhance.com>relay0.edhance.com don't have txt record but they are in the
<http://edhance.com>edhance.com TXT record.  To be extra safe should I add a txt record for each of the
relays like this: <http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1
ip4:67.110.143.100 -all" & <http://relay0.edhance.com>relay0.edhance.com.  IN TXT "v=spf1
ip4:67.110.143.99 -all"?

yes as spf is used for 2 things
to verify the sender-envelope ie user <at> edhance.com {the spf/txt record for edhance.com}
and spf is used to verify the HELO greeting from your servers {the spf/txt record for relay0.edhance.com
and relay1.edhance.com}

additionally as mail.edhance.com is used for nether it should not have "v=spf1 a -all" it should have
"v=spf1 -all" like www.edhance.com and any other existing dns record with an A not used as a sending
envelope or a helo greeting

>Thanks,
>James
>
>
>
>
>
>On Feb 12, 2010, at 3:09 PM, alan wrote:
>
>>At 19:24 12/02/2010  Friday, James R. Marcus wrote:
>>>Yesterday I changed completely our SPF record to -all from ~all.  I started reading the common mistakes
section of the website and wasn't completely sure about this part
>>>
>>>"Publish null SPF records for your domains that don't send mail
>>>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first
thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain
sends no mail. As an example, you might publish:
>>>
>>><http://example.com>example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
>>><http://mail.example.com>mail.example.com.  IN  TXT  "v=spf1 a -all"
>>><http://www.example.com>www.example.com.   IN  TXT  "v=spf1 -all"
>>>"
>>>
>>>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can
think of?
>>
>>no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
>>{any domains without an A or MX record will already be rejected by most mail-recievers}
>>
>>but i would point out from looking at you mail to the list that your server actually sends with the name
>><http://relay1.edhance.com>relay1.edhance.com
(<http://relay1.edhance.com>relay1.edhance.com [67.110.143.100
>>
>>so you MUST have
>><http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 a -all"
>>or
>><http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.100 -all"
>>
>>if you want to be kinder to us all and save us the extra lookups
>>
>>if you have a second machine sending as <http://mail.edhance.com>mail.edhance.com the above is fine
IF not you can set <http://mail.edhance.com>mail.edhance.com to v=spf1 -all
>>
>>
>>
>>>I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come
from <mailto:username <at> www.edhance.com>username <at> www.edhance.com, do I just add this:
>>><http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all"
>>
>>exactly {this dosn't stop mail comming from xxx <at> domain, it just enables receivers to tell it is
obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}
>>
>>
>>>thanks,
>>>James
>>>
>>>
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>
>:: James R. Marcus | Director, IT Operations
>:: Edhance | <x-msg://103/jmarcus <at> edhance.com>jmarcus <at> edhance.com 
>:: v: 617-475-5360 | m: 914-772-8533
>:: web: <http://www.edhance.com/>www.edhance.com
>
>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org
>Modify Your Subscription:
<http://www.listbox.com/member/>http://www.listbox.com/member/
><https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/> 

alan | 12 Feb 23:22 2010
Picon

Re: More detail on subdomains

At 20:38 12/02/2010  Friday, James R. Marcus wrote:
>Okay
>I'll set an SPF to tell the world not accept email from  <at> www.edhance.com with
<http://www.edhance.com>www.edhance.com  IN TXT "v=spf1 -all" correct?
>The part that I'm not quite clear on is the part with the relay hosts. The relay hosts
<http://relay1.edhance.com>relay1.edhance.com and
<http://relay0.edhance.com>relay0.edhance.com don't have txt record but they are in the
<http://edhance.com>edhance.com TXT record.  To be extra safe should I add a txt record for each of the
relays like this: <http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1
ip4:67.110.143.100 -all" & <http://relay0.edhance.com>relay0.edhance.com.  IN TXT "v=spf1
ip4:67.110.143.99 -all"?
>
>Thanks,
>James

now from looking at your actual spf records {as now i see the bit quoted was for example.com not edhance.com
edhance.com IN TXT v=spf1 mx ip4:67.110.143.99 ip4:64.68.200.53 ip4:74.203.49.89
ip4:67.110.143.100 ip4:174.143.247.222 -all
relay0.edhance.com

i see you need to remove the mx or at least move it to after the ip4 records
{ALWAYS,ALWAYS order correctly ip4{fastest 0 extra lookups} then A{1 lookup} then only if necessary mx{4
in your case}}
if you know your ip's mx is never needed or useful {and in your case mx == ip4:67.110.143.99
ip4:67.110.143.100 ip4:64.68.200.53}

so i would rewrite your spf as follows given the available information
edhance.com IN TXT v=spf1 ip4:67.110.143.99 ip4:67.110.143.100 ip4:74.203.49.89
ip4:174.143.247.222 ip4:64.68.200.53 a:smtp2.easydns.com  -all

i included the ip4 and a for smtp2 so while it lives at that ip it works fastest by matching ip4 but also if they
move it, it continues to work by a:

also in your ip list i see 67.110.143.99 relay0 & 67.110.143.100 relay1
but who/what are the other 3 64.68.200.53 [smtp2.easydns.com from your mx records] 74.203.49.89
74.143.247.222 and what names might they use to helo greet? and do you actually send mail out via those
servers? as inbound MX's are not often outbound relays?

we can always test by sending me a mail via each to see?

>On Feb 12, 2010, at 3:09 PM, alan wrote:
>
>>At 19:24 12/02/2010  Friday, James R. Marcus wrote:
>>>Yesterday I changed completely our SPF record to -all from ~all.  I started reading the common mistakes
section of the website and wasn't completely sure about this part
>>>
>>>"Publish null SPF records for your domains that don't send mail
>>>Once you've protected your mail sending domains with SPF, if someone is trying to spoof you, then first
thing they will try is to spoof your non-mail sending domains. Publishing "v=spf1 -all" says that a domain
sends no mail. As an example, you might publish:
>>>
>>><http://example.com>example.com.       IN  TXT  "v=spf1 a:mail.example.com -all"
>>><http://mail.example.com>mail.example.com.  IN  TXT  "v=spf1 a -all"
>>><http://www.example.com>www.example.com.   IN  TXT  "v=spf1 -all"
>>>"
>>>
>>>Are there a list of common subdomains I'm supposed to add TXT records for or just just simple ones I can
think of?
>>
>>no just any that already exist in your DNS records with an A or MX record [there is no point creating new ones]
>>{any domains without an A or MX record will already be rejected by most mail-recievers}
>>
>>but i would point out from looking at you mail to the list that your server actually sends with the name
>><http://relay1.edhance.com>relay1.edhance.com
(<http://relay1.edhance.com>relay1.edhance.com [67.110.143.100
>>
>>so you MUST have
>><http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 a -all"
>>or
>><http://relay1.edhance.com>relay1.edhance.com.  IN TXT "v=spf1 ip4:67.110.143.100 -all"
>>
>>if you want to be kinder to us all and save us the extra lookups
>>
>>if you have a second machine sending as <http://mail.edhance.com>mail.edhance.com the above is fine
IF not you can set <http://mail.edhance.com>mail.edhance.com to v=spf1 -all
>>
>>
>>
>>>I have shutdown SMTP access to all but my to relay servers on the network. But if I don't want email to come
from <mailto:username <at> www.edhance.com>username <at> www.edhance.com, do I just add this:
>>><http://www.edhance.com>www.edhance.com IN TXT "v=spf1 -all"
>>
>>exactly {this dosn't stop mail comming from xxx <at> domain, it just enables receivers to tell it is
obviously a forgery and reject it if it does, but also as spammer aren't so dumb it does tend to stop them trying}
>>
>>
>>>thanks,
>>>James
>>>
>>>
>>>
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: <https://www.listbox.com/member/archive/735/=now>https://www.listbox.com/member/archive/735/=now
>>RSS Feed: <https://www.listbox.com/member/archive/rss/735/>https://www.listbox.com/member/archive/rss/735/
>>Powered by Listbox: <http://www.listbox.com>http://www.listbox.com
>
>:: James R. Marcus | Director, IT Operations
>:: Edhance | <x-msg://103/jmarcus <at> edhance.com>jmarcus <at> edhance.com 
>:: v: 617-475-5360 | m: 914-772-8533
>:: web: <http://www.edhance.com/>www.edhance.com
>
>Sender Policy Framework: <http://www.openspf.org>http://www.openspf.org
>Modify Your Subscription:
<http://www.listbox.com/member/>http://www.listbox.com/member/
><https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/> 

Benny Pedersen | 22 Feb 18:25 2010

Re: Automatisk svar ved fravær: Welcome to spf-discuss

On Sun 21 Feb 2010 09:35:03 PM CET, Auestad Inger wrote

> Sentralarkivet kan kontaktes  på tlf 22 24 60 01.

when you got back from vacation please fix the auto-responder to not  
reply to maillists :)

i definaly NOT want my frinds to know where i am, when i sleep !

--

-- 
xpoint


Gmane