Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #1 
I used the SPF wizard here...

http://www.spfwizard.net/

To create this SPF record:

contoso.com.  IN TXT  v=spf1 mx a -all

Is that all you need?

It seems too simple.

I've seen some records with all the IP addresses and FQDNs listed, although I think this is faulty and leads to excessive and unnecessary DNS lookups when you enter them in a SPF validation tool (like http://www.kitterman.com/spf/validate.html?).



0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 371
Reply with quote  #2 
Quote:
Originally Posted by DM-AVAL
I used the SPF wizard here...

contoso.com.  IN TXT  v=spf1 mx a -all

Is that all you need?



Depends on what you're trying to achieve. This is a valid SPF record that allows any server to send mail on behalf of the domain.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #3 
Any server that matches the A records or MX records, correct?

On that subject, since the MX records point to the A records, I'm not sure why you would need both (?).
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #4 
I would want to prevent anyone not sending from the IP address(es) matching my A record(s) to be able to send as me (assuming the recipient verifies SPF).
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 371
Reply with quote  #5 
Because you may have sending hosts that do not happen to be MX for your domain.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 371
Reply with quote  #6 
Quote:
Originally Posted by DM-AVAL
I would want to prevent anyone not sending from the IP address(es) matching my A record(s) to be able to send as me (assuming the recipient verifies SPF).


Yes, the above record would do exactly that.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #7 
Thanks, that answers my questions perfectly!
0
anthonymaw

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 14
Reply with quote  #8 
The syntax is read as follows:

"mx a" means allow servers of your DNS mx record to send emails for your domain.

"-all" means block all hosts from originating emails for that domain.

Rule is that allow takes precedence over deny

Here's the reference http://www.openspf.org/SPF_Record_Syntax

Note that not all SMTP servers check SPF or support it but not configured.

Yes it requires extra DNS lookups - no big deal - in exchange for the security of preventing your domain emails from being spoofed !


__________________
Anthony Maw, B.Sc., MCSE, Vancouver, Canada, Earth, Solar System, Milky Way Galaxy.....
Tel/SMS: +1 604-318-9994
http://www.anthonymaw.com
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.