SPF Record: How To?
Question asked by Michael Barber - November 10, 2014 at 9:57 AM
I administer my own DNS here and have done it since Bind 4.9.   I've read a number of articles on SPF records but I simply do not understand it.  I see examples but the TXT line looks like jibberish to me.  I guess the problem is I'm not understanding exactly how this SPF record or what is contained in the TXT line actually does anything to STOP spam and therefore I'm not following WHAT exactly my spf record should be from the example. Or, do I just take the example verbatium??
Suppose I have a mail server that answers at mail.myserver.com and there is an "A" record for mail.myserver.com.  And there is an MX preference for mail.myserver.com.
What should be my spf record?
What else beside the MX and A record do I need besides the TXT spf record?
I would appreciate figuring this out because I want to clamp down on spam.

2 Replies

Reply to Thread
There are two issues...  first the SPF record itself.  IF you SEND all mail for yourdomain.com thru your mail server mail.yourdomain.com then your SPF record can be as simple as (assuming you use BIND): IN TXT "v=spf1 mx"  All that SPF record says is that all mail from yourdomain.com is sent thru a server listed as an MX server in yourdomain.com.
As far as clamping down on spam... if you mean incoming spam then the above will do nothing to help that.  It will help recipients that receive mail from yourdomain.com validate that the message is not spoofed.
SPF alone does very little these days. It becomes more powerful when combined with DKIM.  If you're sending out messages that pass both SPF and DKIM most all servers will accept your messages for further spam filtering.  
Good luck,
I would be very careful about ignoring SPF, or not properly formatting an SPF record.

An excellent SPF checker is available at: 
An excellent SPF configuration tool is available at: https://unlocktheinbox.com/spfwizard/
Per YAHOO!'s Postmaster Page:  Use rDNS, SPF, 2048 BIT DOMANKEYS, DKIM, and DMARC on ALL OUTGOING MESSAGES.  The first five are now REQUIRED by COMCAST and YAHOO!  DMARC is optional, but strongly suggested. [http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/]
The 2048 bit DomainKeys and DKIM are based on recommendations which came down from US-CERT in January of 2013 and are now being enforced, as of 1 December, 2014, by Google:  Here's my document which provides the basis for that:
and here's the official Google announcement pertaining to their abandonment of 1024 bit certs, also in November, 2013: http://dottech.org/135967/google-rolls-out-stronger-encryption-aims-to-make-https-and-ssl-harder-to-crack/
One of my more popular documents, Why Am I Having Problems Getting My E-Mail Delivered,: is located at: https://portal.chicagonettech.com/kb/a116/why-am-i-having-problems-getting-my-e-mail-delivered.aspx.  The document is based on the recommendations of YAHOO!, COMCAST, AOL, MSN and several other large providers.

Microsoft is the only straggler, but will stop all support for SSL v3.0 on 1 December, 2013.  

Microsoft will push updates out to all currently supported operating systems which will shut SSL v3.0 down and, unless you have enabled TLS 1.0, and TLS 1.0, 1.1, and 1.2 in Windows Server 2003, Server 2008 - made available by Service Pack 2, but not enabled, and Server 2012, your TLS the lack of SSL and TLS will leave you high and dry. See:
 http://support.microsoft.com/kb/2661254.  Microsoft will officially end support for 1024 bit certs in April of 2016, but, considering the recent rash of hacked networks and secure servers, I would not be surprised if that date is moved up to a much sooner date.  
Finally, after making your configurations you will want to send a test message, simultaneously, to the following two e-mail addresses to check your server's ports, security, and e-mail deliverability:
While all of this may be confusing, it is important that we properly configure our MX servers, whether SmarterMail, or from another vendor, so they are setup in such a way that our customers will have as few delivery problems as possible.
With the theft of almost 60 millions Home Depot e-mail addresses, we're seeing an abnormally high incidence of spam and phishing e-mail.  With the use of SPF, SSL, DomainKeys, DKIM and DMARK, you will be able to lock down your SmarterMail server as tight as possible and not only protect your reputation as an e-mail provider, but also protect your customer's intellectual property because their domain names will be significantly less subject to joe-jobbing and other reputation damaging attacks.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread