On Sat, 2012-02-18 at 11:51 -0500, Jonathan Vomacka wrote: > BIND Community Support, > > I am inquiring about how to setup a proper SPF record? I know there are > SPF wizards/generators available but each seem to have a different > "opinion" of what should be included and what should not be included. > > Let me give you a scenario of my setup, and hopefully someone can help > me out. > > My domain is: test.com > My mailserver hostname is: mail.host.com which also has a MATCHING PTR > record > mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves > to mail.host.com > > This is a STANDALONE mail server without any VIP's or load balancing. > There is however one additional host that will send out mail from the > domain but it wont be receiving mail, it will only be used as an SMTP > server attached to a website automailer... It only generates error > reports and sends them out... so technically it isn't a full mail server > but it will be sending (outbound only) mail on behalf of the domain. > > The additional host is: mail2.test.com which resolves to 50.2.2.2 and > there is a Matching PTR. > > These are the ONLY mail servers and IP addresses that will be sending > out mail from the test.com domain. Some websites say I should use -all > and others say -all will cause some MTA's to reject and ~all is better > to use even if those are the only two hosts sending out mail. > > Would you be able to assist with a solid SPF record?
SPF "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all" TXT "v=spf1 ip4:50.1.1.1 ip4:50.2.2.2 -all" <-- This is to support antiquated resolvers who dont understand SPF record -all will reject if the mail is not from one of the above, this is entire purpose of SPF, to stop dead impersonators. ~all is a softfail, intended for the initial testing phase, so you can use ~all if you are widening your scope, but if only those two above IP's will send mail for your domain, just use -all and make sure all of your users configured smtp auth to send by either of those two machines.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
