Announcement

Collapse
No announcement yet.

SPF (Sender Policy Framework)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SPF (Sender Policy Framework)

    Hey everyone

    I'm interested in putting some kind of SPF entry into my domain's DNS zones. Yes, I know that all these open source dudes are saying its evil because of Microsoft patent's, but that doesn't really worry me.

    I'm playing around with the SPF wizard thing (http://spf.pobox.com/).

    I *think* I understand what it's getting at - but I thought I should check. I'll write my responses for each question:

    consoleradar.com's IP address is 69.93.179.226 (uranus.dnswild.com). Does that server send mail from consoleradar.com?
    Yes or No

    Yep, that's cool - I use the Myacen mail server at that IP address.

    This wizard found 2 names for consoleradar.com's MX servers. MX servers receive mail for consoleradar.com. Do they also send mail from consoleradar.com?
    Yes or No

    Yep, the Myacen mail server sends + receives my email

    Do you want to just approve any host whose name ends in consoleradar.com?
    Yes or No

    This is something I'm confused about... I've only got a few email address, like three or something (eg. [email protected]), so I want to approve them, but I don't want to approve everything else (eg. [email protected]) - Is this what this section is for, or am I miss-reading the question? I can't see anywhere where I can type in "all valid email addresses" or anything...

    Do any other servers send mail from consoleradar.com?
    <blank>

    Nope, I only send email via the Myacen mail server

    You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. To keep the wizard short we left out ptr: but it works the same way.
    <blank>

    I don't have any real idea what they are talking about, so I'll leave it alone...

    IP networks can be entered using CIDR notation, eg. 192.0.2.0/24
    <blank>

    Still no real idea what they are talking about...

    Could mail from consoleradar.com originate through servers belonging to some other domain? If you send mail through your ISP's servers, name the ISP here.
    <blank>

    Nope, all email is sent via the Myacen mail server

    Do the above lines describe all the hosts that send mail from consoleradar.com?
    Yes or No

    I guess so...

    consoleradar.com. IN TEXT
    "v=spf1 a mx -all"

    So I guess the main thing I'm confused with is this ptr thing ("approve any host whose name ends in consoleradar.com")

    Any ideas?

    Thanks

  • #2
    I just set this up for my domains tonight, thanks for the link! (Next step is to patch qmail :|)

    Originally posted by DWZ
    Hey everyone

    I'm interested in putting some kind of SPF entry into my domain's DNS zones. Yes, I know that all these open source dudes are saying its evil because of Microsoft patent's, but that doesn't really worry me.

    I'm playing around with the SPF wizard thing (http://spf.pobox.com/).

    I *think* I understand what it's getting at - but I thought I should check. I'll write my responses for each question:

    consoleradar.com's IP address is 69.93.179.226 (uranus.dnswild.com). Does that server send mail from consoleradar.com?
    Yes or No

    Yep, that's cool - I use the Myacen mail server at that IP address.

    This wizard found 2 names for consoleradar.com's MX servers. MX servers receive mail for consoleradar.com. Do they also send mail from consoleradar.com?
    Yes or No

    Yep, the Myacen mail server sends + receives my email

    Do you want to just approve any host whose name ends in consoleradar.com?
    Yes or No

    This is something I'm confused about... I've only got a few email address, like three or something (eg. [email protected]), so I want to approve them, but I don't want to approve everything else (eg. [email protected]) - Is this what this section is for, or am I miss-reading the question? I can't see anywhere where I can type in "all valid email addresses" or anything...
    It would be a good idea to tick yes, i dont specifically see a reason to limit this. While I also dont see how SPF can know what accounts are real. Maybe they are talking about [email protected]subdomain.consoleradar.com.

    Originally posted by DWZ
    Do any other servers send mail from consoleradar.com?
    <blank>

    Nope, I only send email via the Myacen mail server

    You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. To keep the wizard short we left out ptr: but it works the same way.
    <blank>

    I don't have any real idea what they are talking about, so I'll leave it alone...

    IP networks can be entered using CIDR notation, eg. 192.0.2.0/24
    <blank>

    Still no real idea what they are talking about...
    This stuff is saying "What other servers could possible send mail from your domain. If you dont have any (some domains have many mail servers that send mail from the same domains) then blank is good.

    Originally posted by DWZ
    Could mail from consoleradar.com originate through servers belonging to some other domain? If you send mail through your ISP's servers, name the ISP here.
    <blank>

    Nope, all email is sent via the Myacen mail server

    Do the above lines describe all the hosts that send mail from consoleradar.com?
    Yes or No

    I guess so...
    Yep, Yes should be the right answer. If you choose no, mail from another non listed server would recieve a "soft fail" which means it would still be delivered but have a higher score for a spam filter. So it doesnt really apply

    Originally posted by DWZ
    So I guess the main thing I'm confused with is this ptr thing ("approve any host whose name ends in consoleradar.com")

    Any ideas?

    Thanks
    Push the explain button, it might describe it a bit more for you , I would suggest you choose Yes.

    Comment


    • #3
      Just found a different wizard that might be of use for you.

      http://www.anti-spamtools.org/Sender...l/Default.aspx

      Comment


      • #4
        Thanks for that

        I think "v=spf1 a mx -all" is my best choice. I've put it into WHM in Zone editor and it appears to have updated...

        No idea if it works or not :S

        Anyone know of a SPF checker? I don't want to find out tomorrow that all of my outgoing email does not work :\

        Comment


        • #5
          You will find very few people use SPF at the moment, so you wouldnt notice a huge drop, anyway

          some testers:
          http://www.dnsstuff.com/pages/spf.htm
          http://spftools.infinitepenguins.net/check.php information about how to fill the form out is below it.
          and finally, http://spf.pobox.com/why.html

          Comment


          • #6
            heh, very true

            Well, I just tried those sites, they appeared to all show I have a problem :S

            http://www.dnsstuff.com/tools/spf.ch...=69.93.179.226

            http://spf.pobox.com/why.html?sender...used=1&debug=0

            I can't figure out what the problem is

            Comment


            • #7
              Someones going to have to explain how SPF can even reduce spam to me, all I can't see it doing is end phishing and some types of virus emails (sent from people in the address bok as opposed to the computer owner). The spammers will be the first people to buy up a new domain and send spam from it after registering their SPF.

              I see the usefulness, but don't see how this will affect spam at all, people will have to stop sending their spam from hotmail addresses though
              Christopher Padfield
              Web Based Helpdesk
              DeskPRO v3.0.3 Released - Download Demo Now!

              Comment


              • #8
                I'm interested in putting some kind of SPF entry into my domain's DNS zones. Yes, I know that all these open source dudes are saying its evil because of Microsoft patent's, but that doesn't really worry me.
                Actually, the "evil" one is 'Sender-Id' which is SPF-compatible and made by Microsoft. SPF itself isn't tainted by Msft patents.(as far as I am aware)
                Last edited by cirisme; Thu 30th Sep '04, 9:59am.
                TheologyWeb. We debate theology. srsly.

                Comment


                • #9
                  Originally posted by chrispadfield
                  Someones going to have to explain how SPF can even reduce spam to me, all I can't see it doing is end phishing and some types of virus emails (sent from people in the address bok as opposed to the computer owner). The spammers will be the first people to buy up a new domain and send spam from it after registering their SPF.

                  I see the usefulness, but don't see how this will affect spam at all, people will have to stop sending their spam from hotmail addresses though
                  It will help stop spam because SPF-aware filters will reject forged mail from Hotmail.com, for example.(that is, mail that says it is from Hotmail.com but wasn't handled by Hotmail's mail servers, which means the mail is lying)

                  About this:

                  The spammers will be the first people to buy up a new domain and send spam from it after registering their SPF.
                  You're 100% correct. But, that's the point. Once they start spamming using domains they own, they can be blacklisted much easier without fear of blocking legitimate mail.

                  SPF is great because all the forged mail from gmail.com can be blocked because whatever server sent it isn't authorised to send mail for gmail.com so it is illegitimate. But it is also great because as spammers are forced to stop leaching off other systems, they have to get their own domains with SPF which makes it easier to blacklist.

                  SPF definately will be the most effective in conjunction with a blacklist and won't stop all the spam but it will be a tremendous improvement. MHO of course
                  TheologyWeb. We debate theology. srsly.

                  Comment


                  • #10
                    Originally posted by merk
                    You will find very few people use SPF at the moment, so you wouldnt notice a huge drop, anyway

                    some testers:
                    http://www.dnsstuff.com/pages/spf.htm
                    http://spftools.infinitepenguins.net/check.php information about how to fill the form out is below it.
                    and finally, http://spf.pobox.com/why.html
                    Hey thanks... I set up SPF a couple weeks ago and wanted to know if I set it up correctly.
                    TheologyWeb. We debate theology. srsly.

                    Comment


                    • #11
                      Originally posted by DWZ
                      Hey everyone

                      I'm interested in putting some kind of SPF entry into my domain's DNS zones. Yes, I know that all these open source dudes are saying its evil because of Microsoft patent's, but that doesn't really worry me.
                      any ideas? Dont use it.

                      There is an ongoing discussion with several sysadmins (many from well known ISP's) in the newsgroup news.admin.net-abuse.email ( you can search via google using the keywords SPF or Sender Policy Framework or the url you just posted )

                      Basically, its a bad idea. It'll create more problems. SPAMMERS are already using it so the whole thing about stopping / reducing spam is pointless, its currently being used by others, and its not working the way they expect it to.

                      http://www.google.com/groups?as_q=sp...mail&lr=&hl=en
                      http://www.google.com/groups?as_q=sp...mail&lr=&hl=en
                      There are only 10 types of people in the world: Those who understand binary, and those who don't

                      Comment


                      • #12
                        I've set up my SPF entry several weeks ago.

                        The area I likely differ with the majority is that I actually use it to filter incoming mail. If you're sending mail to me from a domain that has a "-all" in its SPF record from an unauthorized sender it will reject your mail even before you get to the DATA.

                        The beauty of the system certainly isn't reduced spam, but reduce of forged email. Anyone who thinks SPF's purpose is spam reduction isn't really in the right business. Reduce of forge mail does however lead to easier filtering on behalf of spam filtering (imagine that if every domain has SPF and all incoming mail servers use SPF - now your spam blocker can work not with an IP based blocklist but a domain one).

                        Comment


                        • #13
                          Originally posted by WizyWyg
                          any ideas? Dont use it.

                          There is an ongoing discussion with several sysadmins (many from well known ISP's) in the newsgroup news.admin.net-abuse.email ( you can search via google using the keywords SPF or Sender Policy Framework or the url you just posted )

                          Basically, its a bad idea. It'll create more problems. SPAMMERS are already using it so the whole thing about stopping / reducing spam is pointless, its currently being used by others, and its not working the way they expect it to.

                          http://www.google.com/groups?as_q=sp...mail&lr=&hl=en
                          http://www.google.com/groups?as_q=sp...mail&lr=&hl=en
                          So, why is it a bad idea? All I found in those google links is that it's not marketed based on it's primary merit - stopping forgery. If you think SPF is about stopping mail you're completely wrong (although it is likely to reduce it as there is a good deal of spam with forged headers).

                          What problems does it create? If you don't want to use it, you're not forced to. And it's a nice courtesy to declare who can send mail with your domain (thus even protecting yourself against forgery), perhaps even with a ?all, to simply put help out others who do like the concept.

                          Reducing spam once again isn't it's merit (although once again, it will give some results as a good deal of spam is indeed forged).

                          I do agree that some people are seeing as something that doesn't work as they expect it to. But that isn't a flaw with the system, but more their lack of reading into the system, and slightly indirect marketing of it (which is understandable since nearly all have experienced spam, but few have been a victum of forgery).

                          Comment


                          • #14
                            All the people to bash SPF in this thread dont seem to understand what SPF is designed to do.

                            As okrogius pointed out, it is not a solution to stop all spam email. It is a solution to stop people sending email from places that they shouldnt be.

                            Sick of getting all the hotmail junk? Why not use a SPF aware MTA and spam filter, then when the MTA gets an email "from hotmail" it will check the records in hotmails dns entries to make sure it is legitimate, or not.

                            Its a damn awsome idea. Stop *****ing because of a damn patent.

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X