2
SPF Record: How To?
Question asked by Michael Barber - 11/10/2014 at 9:57 AM
Answered
I administer my own DNS here and have done it since Bind 4.9.   I've read a number of articles on SPF records but I simply do not understand it.  I see examples but the TXT line looks like jibberish to me.  I guess the problem is I'm not understanding exactly how this SPF record or what is contained in the TXT line actually does anything to STOP spam and therefore I'm not following WHAT exactly my spf record should be from the example. Or, do I just take the example verbatium??
 
Suppose I have a mail server that answers at mail.myserver.com and there is an "A" record for mail.myserver.com.  And there is an MX preference for mail.myserver.com.
 
What should be my spf record?
What else beside the MX and A record do I need besides the TXT spf record?
 
I would appreciate figuring this out because I want to clamp down on spam.

10 Replies

Reply to Thread
0
Joe Wolf Replied
Marked As Answer
There are two issues...  first the SPF record itself.  IF you SEND all mail for yourdomain.com thru your mail server mail.yourdomain.com then your SPF record can be as simple as (assuming you use BIND): IN TXT "v=spf1 mx"  All that SPF record says is that all mail from yourdomain.com is sent thru a server listed as an MX server in yourdomain.com.
 
As far as clamping down on spam... if you mean incoming spam then the above will do nothing to help that.  It will help recipients that receive mail from yourdomain.com validate that the message is not spoofed.
 
SPF alone does very little these days. It becomes more powerful when combined with DKIM.  If you're sending out messages that pass both SPF and DKIM most all servers will accept your messages for further spam filtering.  
 
Good luck,
-Joe
 
Thanks, -Joe
0
Bruce Barnes Replied
I would be very careful about ignoring SPF, or not properly formatting an SPF record.

An excellent SPF checker is available at: 
https://unlocktheinbox.com/dnstools/spf/unlocktheinbox.com
 
An excellent SPF configuration tool is available at: https://unlocktheinbox.com/spfwizard/
 
Per YAHOO!'s Postmaster Page:  Use rDNS, SPF, 2048 BIT DOMANKEYS, DKIM, and DMARC on ALL OUTGOING MESSAGES.  The first five are now REQUIRED by COMCAST and YAHOO!  DMARC is optional, but strongly suggested. [http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/]
 
The 2048 bit DomainKeys and DKIM are based on recommendations which came down from US-CERT in January of 2013 and are now being enforced, as of 1 December, 2014, by Google:  Here's my document which provides the basis for that:
 
and here's the official Google announcement pertaining to their abandonment of 1024 bit certs, also in November, 2013: http://dottech.org/135967/google-rolls-out-stronger-encryption-aims-to-make-https-and-ssl-harder-to-crack/
 
One of my more popular documents, Why Am I Having Problems Getting My E-Mail Delivered,: is located at: https://portal.chicagonettech.com/kb/a116/why-am-i-having-problems-getting-my-e-mail-delivered.aspx.  The document is based on the recommendations of YAHOO!, COMCAST, AOL, MSN and several other large providers.

Microsoft is the only straggler, but will stop all support for SSL v3.0 on 1 December, 2013.  

Microsoft will push updates out to all currently supported operating systems which will shut SSL v3.0 down and, unless you have enabled TLS 1.0, and TLS 1.0, 1.1, and 1.2 in Windows Server 2003, Server 2008 - made available by Service Pack 2, but not enabled, and Server 2012, your TLS the lack of SSL and TLS will leave you high and dry. See:
 http://support.microsoft.com/kb/2661254.  Microsoft will officially end support for 1024 bit certs in April of 2016, but, considering the recent rash of hacked networks and secure servers, I would not be surprised if that date is moved up to a much sooner date.  
 
Finally, after making your configurations you will want to send a test message, simultaneously, to the following two e-mail addresses to check your server's ports, security, and e-mail deliverability:
 
While all of this may be confusing, it is important that we properly configure our MX servers, whether SmarterMail, or from another vendor, so they are setup in such a way that our customers will have as few delivery problems as possible.
 
With the theft of almost 60 millions Home Depot e-mail addresses, we're seeing an abnormally high incidence of spam and phishing e-mail.  With the use of SPF, SSL, DomainKeys, DKIM and DMARK, you will be able to lock down your SmarterMail server as tight as possible and not only protect your reputation as an e-mail provider, but also protect your customer's intellectual property because their domain names will be significantly less subject to joe-jobbing and other reputation damaging attacks.
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Michael Barber Replied
If this is so important, why isn't there an easy step-by-step. I can't see to find anything but bits and pieces.
How do I get DKIM ? So do you have to go to a Comodo or an ssl authority to get a public key and where is the private key stored? Ok, found a way to generate the keys: http://www.port25.com/support/domainkeysdkim-wizard/ However, its unclear to me where the private key is stored on the server for example.

I found this: https://portal.smartertools.com/kb/a2754/set-up-dkim-and-domain-key.aspx However, I'm using version 11, and there is NO Domain settings under Settings.
0
Joe Wolf Replied
No you don't need an SSL Certificate to implement DKIM. Here's a KB on how to implement DKIM on SmarterMail and then you simply add the appropriate DNS TXT records:
http://portal.smartertools.com/kb/a2754/set-up-dkim-and-domain-key.aspx?KBSearchID=618826

You can ignore DomainKeys as it has been diminished. Yahoo developed it and they don't even use it anymore. DKIM is the replacement.

I don't know what you use your server for, but if you intend to offer HIPAA email archiving (6 years) you cannot use inbound DMARC or Delete as an action based on spam weight. Both of those actions result in messages being deleted without either the sender or recipient being notified.

If you want to publish a DMARC policy then you can do so, just NEVER check the "Enable DMARC policy compliance check" in the SmarterMail Antispam Administration, Options.

-Joe
Thanks, -Joe
0
Bruce Barnes Replied
Anyone who runs an e-mail server without SSL is taking a risk
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Joseph Boo Replied
so far my email is set without using ssl, but l add on firewall to protect my email server, so far 2 yeaer is OK.
0
philip Replied
hi guys..
let say i got 2 dns server one for internal the other one for external..
where should i put these spf record?
0
Kyle Kerst Replied
Employee Post
Philip, SPF records should be added to your external DNS server so that third party email servers can check your SPF records when accepting email from your domain users. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
philip Replied
hi kyle,
i've put the spf record on the external dns..
i put like this but no sure it is correct or not?
v=spf1 a mx ptr <domainname> -all
can someone confirm this?
1
Kyle Kerst Replied
Employee Post
Philip, sorry for the delay on this. I believe your SPF record needs some adjustment here, and will need to be added as a TXT record. Can you use the following page to generate an appropriate SPF record?


Configuring this for an example network I get something like this: 

example.com.  IN TXT "v=spf1 mx ip4:1.2.3.4/32 ~all" 

- The example.com section is the domain you're working on.
- The IN TXT means that everything after that goes in to the TXT record type.
- The MX tells servers that any server listed as an MX for this domain may send email.
- The IP4 entry is an additional server IP that may send email for the domain.
- The ~all portion tells receiving mail servers to accept mail from your domain (even if SPF fails) but mark the message as possibly spam.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread