Mailing List Archive

Optimize SPF TXT record
Hello all and TIA for your help.

I own the randsco.com domain. We normally send all unrouted email for our domain to an active email account. A few days ago, we began receiving bounced "undeliverable" messages back, apparently sent from bogus email addresses on our domain. (Seems that spammers are using fake randsco.com email addresses in the "from" field? Wankers.)

So ... I went looking for a way to combat this and found SPF. Yay!!

We requested that our host provider add an SPF record for us and they added this one:

v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com a:serv01.siteground126.com mx:randsco.com mx:siteground126.com mx:serv01.siteground126.com include:siteground126.com include:serv01.siteground126.com ~all

After reading up and running some tests against it, I began to question the efficiency and validity of the record. (The included domains don't have SPF records, for one and two, I don't think the includes are needed?)

Running the wizard lead me to a much simplier one:

"v=spf1 a mx ip4:207.218.208.0/24 ~all" (Where I just copied the ip4 arguments from the host version)

Because I'm new to SPF, I'm not certain if I should just ask my host to replace theirs with the one spit out from the wizard? Is there a more succint/efficient record for our situation?

After reading some of the help emails, it seems that if one specifies an IP range, one can omit the MX mechanism? (and that IP's are faster/cheaper lookups?)

I'd modify the record myself (we have a domain registrar separate from our host - pakNIC) but they currently do not support adding TXT records to DNS. (I've written and requested that they do) :-(

Can someone help me optimize an SPF record for our domain? Speak to a all the a:, mx: and include: mechanisms used by our host? (Are they really needed?)

Thank you.






---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.

---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Saturday 13 January 2007 12:02, Scott Kimler wrote:
> Hello all and TIA for your help.
>
> I own the randsco.com domain. We normally send all unrouted email for
> our domain to an active email account. A few days ago, we began receiving
> bounced "undeliverable" messages back, apparently sent from bogus email
> addresses on our domain. (Seems that spammers are using fake randsco.com
> email addresses in the "from" field? Wankers.)
>
> So ... I went looking for a way to combat this and found SPF. Yay!!
>
> We requested that our host provider add an SPF record for us and they
> added this one:
>
> v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com
> a:serv01.siteground126.com mx:randsco.com mx:siteground126.com
> mx:serv01.siteground126.com include:siteground126.com
> include:serv01.siteground126.com ~all
>
> After reading up and running some tests against it, I began to question
> the efficiency and validity of the record. (The included domains don't
> have SPF records, for one and two, I don't think the includes are needed?)

You are correct about the validity. Step one is to go tell your provider to
remove this record.

> Running the wizard lead me to a much simplier one:
>
> "v=spf1 a mx ip4:207.218.208.0/24 ~all" (Where I just copied the ip4
> arguments from the host version)
>
> Because I'm new to SPF, I'm not certain if I should just ask my host to
> replace theirs with the one spit out from the wizard? Is there a more
> succint/efficient record for our situation?

Remove the current one and let's get this right before you publish another.

> After reading some of the help emails, it seems that if one specifies an
> IP range, one can omit the MX mechanism? (and that IP's are faster/cheaper
> lookups?)

The record needs to list all the authorized sources for your domain to send
mail. For example, if your web server sends mail then "a" will generall
cover that. The "mx" mechanism is only useful if the server that receives
your mail also sends mail. In many cases it doesn't.

The ip4 and ip6 mechanisms are more efficient, but for servers you don't
control may be problematic if your host changes the IP address without
telling you.

> I'd modify the record myself (we have a domain registrar separate from
> our host - pakNIC) but they currently do not support adding TXT records to
> DNS. (I've written and requested that they do) :-(

I keep a list of providers that do /don't support TXT at
http://www.kitterman.com/spf/txt.html. I've added them to the list as a no.
Please let us know if that changes.

> Can someone help me optimize an SPF record for our domain? Speak to a
> all the a:, mx: and include: mechanisms used by our host? (Are they really
> needed?)

Sure. First go ask the provider to pull the existing record. Then write back
with a description of how your domain sends mail (e.g. does the web server
send auto-replies or mailings, everyone sends mail via their home ISP, it all
goes out through one dedicated server, etc.) and we'll help.

You should test any record you come up with before you publish it. You can
use http://www.kitterman.com/spf/validate.html.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Scott,

Thank you for your prompt reply. I have requested our host pull the TXT record and that should be done shortly. (DONE)

You wrote: "write back with a description of how your domain sends mail (e.g. does the web server send auto-replies or mailings, everyone sends mail via their home ISP, it all goes out through one dedicated server, etc.) and we'll help."

First ... THANKS!! I'm not an email guru, so accept my apologies if this descrption is not complete.

1) We RARELY utilize our domain for email (preferring to utilize disk space, updated anti-spam and other services at Yahoo and gMail).

2) We DO have sanctioned email accounts (< 6) at randsco.com.

3) Generally, we receive and send domain email via webmail interfaces like squirrel mail or neo-mail (presumably through our host mail server serv01.siteground.com, but I'm not 100% on the intricacies).

4) We DO forward unrouted mail and some sanctioned accounts to active Yahoo mail accounts (which means that we may REPLY to these emails from within Yahoo, so to cover this, I'm assuming we'd need to include a Yahoo mail server with an "include" -OR- from now on only reply via our domain's webmail interface?)

5) I do not think there are any auto-replies or mailings emanating from our domain mail server (no "out of office", subscription email services, or anything like that).

6) While I have an outlook email client set up locally, since we've been on broadband, it's been ages that I've emailed through our ISP, specifying a "from" address. (We can forego on any of those capabilities.)

7) Basically, the domain is a family affair and I'm the primary user. We don't have "members" and don't add/delete/setup many email accounts.

With the exception of perhaps allowing replies from either gMail or Yahoo, I would think that it's the most basic of setups?

Cheers,

-stk




---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
PS -

I have verified (via a test email message from Yahoo to a randsco.com email address) that the receiving server is the same as the sending server: (i.e. serv01.siteground126.com)

Hope this helps.


---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sat, Jan 13, 2007 at 09:02:10AM -0800, Scott Kimler wrote:
> Hello all and TIA for your help.

You are already helped; I just want to point to a frequently seen error:


[snip most of SPF record]
>
> v=spf1 ... mx:serv01.siteground126.com ...

serv01.siteground126.com does not _have_ an MX record, it _is_
a host pointed to by an MX record.

Looking up MX(serv01.siteground126.com) results in an empty list
of mailhosts. In other words: it does not match anything, but it
does cost resources.


The author of your record probably intended to specify something
in the line of "Hey, serv01.siteground126.com is a mail receiver
but it may also send mail". This is NOT how it works. He should
have specified "mx:siteground126.com" which means: "Hey, the mail
receivers for domain siteground126.com may also send mail".


The data involved:

Zone siteground126.com has domain siteground126.com in it.

Domain siteground126.com has an MX record: "0 siteground126.com."
(meaning: hostname siteground126.com with preference 0 (highest))

hostname siteground126.com has IP address 207.218.208.15

IP address 207.218.208.15 has name serv01.siteground126.com

hostname serv01.siteground126.com has address 207.218.208.15


At least hostname->ip_address->hostname->ip_address works, it could
have been worse.


Specifying "mx:siteground126.com" would mean:

Lookup MX(mx:siteground126.com)
Answer: "0 siteground126.com."
For every hostname returned:
- Lookup A($hostname)
- Answer: one or more ip_addresses
- Move ip_addresses to result list
Result: list of one or more IP addresses which are to be compared against
the incoming connection.

If there's only one host, it is more efficient to do:

"a:siteground126.com"

Lookup A(siteground126.com)
Answer: one or more IP addresses
Result: list of one or more IP addresses which are to be compared against
the incoming connection.

If the network is static, addresses and names do not change often, then
it is even more efficient to do:

"ip4:207.218.208.15"

No DNS lookup necessary
Result: `list' of one IP address which is to be compared against
the incoming connection.


Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Alex,

Thanks for the explanation. I think it makes sense to me.

Scott, Alex, Anyone -

If my thinking is correct, the SPF record that my host used:

v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com
a:serv01.siteground126.com mx:randsco.com mx:siteground126.com
mx:serv01.siteground126.com include:siteground126.com
include:serv01.siteground126.com ~all

could be (correctly) and more succinctly written as:

v=spf1 ip4:207.218.208.0/24 ~all

The rest of it appears superfluous (and as you pointed out, Alex, nonsensical in the case of "serv01.siteground126.com")

HOWEVER, because I do not control the servers at my host, it's possible that IP numbers and domain names may change, so I don't think I want to use an SPF record specifying those things.

It seems to me, in that case that the following might be best:

v=spf1 a mx -all

(Where I've changed the "all" prefix to "fail" rather than "soft-fail" - i.e., REJECT the non-matched email, rather than ACCEPT (and mark) the non-matched email).

In my case, because the sending and receiving mail servers are identical, couldn't I even abbreviate it further by using?

v=spf1 mx -all

(Not that the shortest SPF record wins, just trying to figure out the relationship between looking up A records for domains -vs- looking up A records for all MX domains.

Also, because I forward (and reply to) domain mail from yahoo.com, shouldn't I include that domain?

v=spf1 mx include:yahoo.com -all

However, it seems that yahoo mail utilizes their own "DomainKey Signature" exclusively (they don't have an SPF record). So wouldn't including the yahoo.com domain result in permanent errors and (kinda) defeat the whole purpose of SPF?

So, it seems I have two choices ... use

v=spf1 a mx -all

(adding the "a" back in, in case my host ever designates different sending/receiving mail servers ... quit forwarding mail to yahoo and forward it to gMail, instead).

If I look up the SPF record for gmail.com, I get a redirect to _spf.google.com. So, I'm assuming that if I forwarded domain mail to my gmail.com email address and replied to it, it would pass an SPF record check if I used the following:

v=spf1 a mx include:_spf.google.com -all

Which is ATM, is the record I THINK I should be using.

Does this logic make sense? Thoughts?

-stk
www.randsco.com




---------------------------------
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sun, Jan 14, 2007 at 09:12:31AM -0800, Scott Kimler wrote:

> HOWEVER, because I do not control the servers at my host, it's possible that IP numbers and domain names may change, so I don't think I want to use an SPF record specifying those things.
>

Then why do you think the hosts that are receiving your mail will also
stay the hosts that send mail ?

> v=spf1 mx -all

Let's look at an example:

ISP 'example' has zone 'example.com'. They have two mail servers which are
responsible for all email, inbound and outbound.

example.com. MX 10 mail01.example.com.
example.com. MX 10 mail02.example.com.
mail01.example.com. A 192.0.2.1
mail02.example.com. A 192.0.2.2

You publish "v=spf1 mx -all" for your domain name, and expect things to work.

The ISP grows, and they add a couple of mail servers, two of them only receive
mail but don't send mail.

example.com MX 10 mail01.example.com.
example.com MX 10 mail02.example.com.
example.com MX 10 mail03.example.com.
example.com MX 10 mail04.example.com.
example.com MX 100 backup01.example.com.
example.com MX 100 backup02.example.com.

mail01.example.com. A 192.0.2.1
mail02.example.com. A 192.0.2.2
mail03.example.com. A 192.0.2.3
mail04.example.com. A 192.0.2.4
backup01.example.com. A 192.0.2.129
backup02.example.com. A 192.0.2.130

Your "mx" still covers all mail servers, including the two that do receive
mail but aren't used for sending. This is harmless.

Then the ISP reconfigures their hosts. They separate inbound and outbound
mail. The hosts formerly known as backup01 and backup02 no longer receive
mail, they are now responsible for sending mail. The mail receivers no
longer send mail:

example.com. MX 10 mail01.example.com.
example.com. MX 10 mail02.example.com.
example.com. MX 10 mail03.example.com.
example.com. MX 10 mail04.example.com.
mail01.example.com. A 192.0.2.1
mail02.example.com. A 192.0.2.2
mail03.example.com. A 192.0.2.3
mail04.example.com. A 192.0.2.4
out01.example.com. A 192.0.2.129
out02.example.com. A 192.0.2.130

Now "mx" no longer covers out01 and out02. It only covers hosts
mail01 to mail04, which aren't used for sending mail anymore.

Would you have had "v=spf1 ip4:192.0.2.0/24 -all", then in this case
your record would still allow out01 and out02 to send your mail.


Please note that I could easily create an example where the opposite
would be true, thus "v=spf1 mx -all" continues to work and the "ip4"
variant does not.


Creating a more complex record, for instance putting both "mx" and
"ip4:192.0.2.0/24" in it, may seem prudent at first. It really is
not, as the following shows:

"v=spf1 ip4:192.0.2.0/24 mx -all"

Things change. The ISP grows even further. It gets allocated more
address space, and reorganizes its network. In addition, the ISP is
going to use a 3rd party to process inbound mail.

Change1: the network originally used for ISP servers is now for
customers. Part of the addresses covered by ip4:192.0.2.0/24 is
allocated to a spamming customer. Because of your SPF record, you
allow that spammer to spoof your name...

Change2: the MX records are changed and point to that 3rd party. This
means "mx" no longer covers any server at your ISP. From a performance
standpoint, "mx" has become useless. From a security standpoint, "mx"
has become a hazzard.


The moral of this all: guess and you may guess wrong. Don't guess. Know.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
FWIW, our site http://randsco.com hosts a family and technical blog. I've put together a write-up of our SPAM hijacking, subsequent discovery of SPF, which I hope will help spread the work and help speed up the adoption rate. The write up can be found here:- http://randsco.com/index.php/2007/01/11/randsco_hijacked (though I'll add to it, based on my invalid host-providers suggested SPF record and my experiences on this help forum).

I hope this helps and I look forward to getting a proper SPF record in place, to help combat this identity-theft problem.

Cheers,

-stk




---------------------------------
It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
The other thing I would add is that we are always looking to make our web site
more comprehensive and easier to understand. If there is something that
would have helped you understand SPF better or more quickly, you can write it
up and publish it here:

http://www.openspf.org/Community

Once you are happy with it, you can let us know and one of us with write
access to the main wiki can move it over. Making SPF understandable is one
of the biggest things we need to get better at and it is very difficult for
those of us who have been doing this for a while to write stuff that makes
sense to someone who isn't already familiar with SPF and the related DNS/SMTP
issues.

We NEED help from people like you while the new SPF experience is still fresh
in your minds (this applies to everyone else to - all are welcome).

Thanks,

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Alex van den Bogaerdt <alex@ergens.op.het.net> wrote:

Then why do you think the hosts that are receiving your mail will also
stay the hosts that send mail ?

> v=spf1 mx -all

I don't? I was merely trying to ascertain that IF the hosts receiving/sending mail were the same, if it would be syntactically correct to omit the "a".

It's also why I wrote later,

[quote] v=spf1 a mx -all

(adding the "a" back in, in case my host ever designates different sending/receiving mail servers ...[/quote]

I think we're on the same page, trying to future-proof the statement as much as possible.

I continue to hope that someone will read my entire thought process and let me know if my final SPF record, makes sense to use, given our situation.

I'm keen about the thought process because I'm planning on notifying my host about HOW to correct their oringal SPF record. I'm also thought about providing some basic SPF record construction hints and tips in my http://randsco.com article, because I think that both the wizard and sytax pages on openspf.org could are a tad obtuse.

v=spf1 a mx include:_spf.google.com -all <-- my final SPF record (tested okay, but does it make sense?)

Thanks,

-stk


---------------------------------
Want to start your own business? Learn how on Yahoo! Small Business.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Scott Kitterman <scott@kitterman.com> wrote:
If there is something that
would have helped you understand SPF better or more quickly, you can write it
up and publish it here:

http://www.openspf.org/Community

Thanks for the invitation. :)

However, I'm still waiting to make certain that I DO understand, before I go off in along a tangent about how I might have been made to understand faster. ;)

Frankly, Alex examples have left me a tad confused. Firstly, I think he stopped reading after I asked "since sending and receiving servers are the same, could I just drop the A?" However, reading his post in greater detail ... if he can come up with an example of how an IP4 range might allow someone to spoof my email address AND an example whereby MX becomes a security risk ... then what's a poor slob like me, using a host provider, supposed to do?

I cannot predict what will happen to my hosting companies IP ranges, or server names or even which servers send and receive mail ... or even if they do it themselves or suddenly utilize a 3rd party. ACK. :-(

All I want to do is provide a means by which mail sent from a randsco.com address is confirmed as having come from a sanctioned randsco.com email address, whether or not routed through gmail or yahoo.com.

It would seem to this neophyte that the SPF specification should include further restrictions. Not only should it check to make certain that the randsco.com email is being sent through allowed servers, it should also make certain that the email address is one that is actually being USED.

(i.e., if the SPF could also indicate an array of sanctioned - or used - email addresses, then the bevvy of bogus, random ones commonly used by spammers, could be summarily rejected REGARDLESS of other server information).

Mind you, administering such a situation might prove onerous for many site owners (who regularly add/edit/delete email addresses), but it would be an EXCELLENT benefit for those domain owners for whom email addresses seldom change. ( Like me! :D )

In any case, I'm still hoping that someone can critique my thought process and final suggested SPF record, so that I might determine if I HAVE got a better understanding and I can help spread a tad bit of knowledge. Both to my host provider, who apparently THINK they know something that they CLEARLY do not, and to the broader community at large (pending any corrections from this erudite community).

I could also then modify my DNS and get it propagated to help deter the wankers who have started STEALING MY IDENTITY.

Cheers,
-stk


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sun, Jan 14, 2007 at 12:49:57PM -0800, Scott Kimler wrote:

> (adding the "a" back in, in case my host ever designates different sending/receiving mail servers ...[/quote]


I think you missed the point I tried to make...


You are trying to come up with a record that is "future proof", because you
don't know what your ISP is going to do.

What if your ISP makes changes so that both "a" and "mx" no longer match ?

There's no point in adding stuff to your record because of something that
may happen in the future. The only safe guess is "v=spf1 +all" and obviously
that's not what you want.

There's no point in adding "mx" (or "a", or anything) to your record because
*perhaps* the ISP makes some changes and *perhaps* "mx" will match the new
situation. Also think about the other end: you are asking all receivers to
do extra work, so that there is a less than 100% chance that you may avoid
doing some work in the less than 100% chance that your ISP makes changes.

This extra work is not just for the receivers, but also for the ISP and for
the Internet inbetween the ISP and your receiver. All these extra resources
for something that may or may not happen... is it really worth it ?

Consider the scenario where the ISP makes changes that invalidate "a" and
"mx", while "ip4" remains good... you could easily create a record that
only uses "ip4", and has an equal chance of being "future proof". At least
that record would not use unnecessary resources !

And of course, as I showed in my previous mail, there's a chance you're
shooting yourself in the foot with your record. Any record, whether it
uses "a mx" or "ip4:...", could in the future authorize hostile computers
when network changes occur.


In other words: whatever record you create now, don't expect it to be
valid when things change.

So, what can you do:
-1- make sure you know when the ISP changes stuff, and alter your SPF record
accordingly.
or
-2- let your ISP do the work, and include a record they created specifically
for this purpose.

Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Alex,

I just want to stop spammers from stealing my identity and broadcast their SPAM, pretending that it's coming from randsco.com, when indeed, it is not.

I got an SPF record that my host gave me and I was happy. I tested it and it yielded errors and I was unhappy. I asked for help and Scott told me to dump my host-generated SPF record and I did. He asked me to explain my mail situation and I did.

Based on what I read here on openspf.org, I came up with the following SPF record, which I tested and appears to work :

Using a hosting provider, I have no real control over what IP address my email is sent from -ultimately, THEY determine that (and may change the servers, the IP range and server names).

The only thing that I DO have control over, the only thing that my host doesn't have control over, the only thing I don't need to try to future-proof is the actual email address. Out of an infinite number of possible randsco.com email addresses (which spammers have randomly attempted to utilize), only SIX are actually sanctioned by me, the domain owner.

It seems to me that it would be better to check for a match over something that I DO have control over, rather than to check against something that I DON'T have control over and may change, unbeknownst to me, at some point in the future?


Alex van den Bogaerdt <alex@ergens.op.het.net> wrote:

So, what can you do:
-1- make sure you know when the ISP changes stuff, and alter your SPF record
accordingly.
or
-2- let your ISP do the work, and include a record they created specifically
for this purpose.

Alex
1) I don't use my ISP for mail, ingoing or outgoing. (Did you mean Hosting provider?) If you did, they change stuff all the time without me knowing (php versions, services, etc.). The only way I'll know if the ISP changes anything is when my legit mail begins to fail (and I'm not even certain HOW I'd know). I presume that a flagged message would be returned?

2) Assuming you're still on about my Host and not my ISP, I can say that's what I DID do. I went to my host and asked that they

I just want to find an SPF record that will allow my legit mail to continue to get to it's destination and keep spammers from kyping bogus randsco.com email address, spreading their crap and making it look like randsco.com is responsible.

I came here seeking help and now I'm just very frustrated and confused.



---------------------------------
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
LOL ... I'm so frustrated that I never bothered to proof-read my previous post and missed:

1) The SPF record which I tested and appears to work (which I'm wondering if it's the one I should be using, based on my CURRENT situation): v=spf1 a mx include:_spf.google.com -all

2) I went to my host and asked that they make an SPF record for me and they did: v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com a:serv01.siteground126.com mx:randsco.com mx:siteground126.com mx:serv01.siteground126.com include:siteground126.com include:serv01.siteground126.com ~all

(YUCK?)

-lost in spamville


---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sun, Jan 14, 2007 at 05:43:28PM -0800, Scott Kimler wrote:

> Using a hosting provider, I have no real control over what IP address my email is sent from -ultimately, THEY determine that (and may change the servers, the IP range and server names).

> I came here seeking help and now I'm just very frustrated and confused.

Great, you imply that's my fault. I even didn't start explaining to
you why forwarding mail is probably a bad idea, and how that's going
to cause problems.

Please understand this:

*) I am just providing information, so you can make an informed decision. It
appears that you suffer from an information overload right now, and this
is very unfortunate
*) I cannot help that you are not in control. The problems caused by this
aren't my fault. Trying to explain them to you is my fault, and I will
quit doing so right away
*) You are making assumptions that aren't correct. I tried to show you
_why_ these assumptions aren't correct. Bad news for you, yes, but do
not blame this on the messenger please


If all you want is a record to publish, without really understanding what
is going on, publish the record using only "ip4" mechanisms. Indeed, you
cannot know if the IP addresses change but as you yourself point out this
is also true for server names ("a:") and for mail exchangers ("mx"). Given
that any choice is not an optimal one, you should choose the one that is
least resource intensive. Then monitor for changes, and adapt your record
when necessary. If you use your name when sending from google, then you
should indeed also have that "include" statement. You got that part right.

Don't forget to authorize email servers your peers may be using, for instance
their own ISP, or the internet cafe on the corner.

Now forwarding...

I'm not explaining _why_ forwarding may be a bad idea (I leave that portion
of information to someone else) but I am going to say this: if you forward
mail to elsewhere, you better make sure one of the following two is true:

a) your "MAIL FROM" is using your own domain name when you forward mail.
chances are this is not the case, so you have to rely on (b):
and/or
b) the receiving domain does not verify SPF. I think yahoo currently does
not do this, but I may be wrong, or things may change in the future.

If you fail to take care of this, email will bounce and the original sender
may get to know your yahoo address. No problem if that shouldn't be kept
a secret. But there's more:

If you forward spam, and if this spam is reported (for instance to spamcop)
it is your host that ends up blacklisted, not the spammer's hosts.

Good luck,
Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sunday 14 January 2007 20:54, Scott Kimler wrote:
> LOL ... I'm so frustrated that I never bothered to proof-read my previous
> post and missed:
>
> 1) The SPF record which I tested and appears to work (which I'm wondering
> if it's the one I should be using, based on my CURRENT situation): v=spf1
> a mx include:_spf.google.com -all
>
> 2) I went to my host and asked that they make an SPF record for me and
> they did: v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com
> a:siteground126.com a:serv01.siteground126.com mx:randsco.com
> mx:siteground126.com mx:serv01.siteground126.com include:siteground126.com
> include:serv01.siteground126.com ~all
>
Figure out the IP address of the actual mail-servers you use.

Go to http://www.kitterman.com/spf/validate.html

Look at the third test where it asks you to put in an IP address. Try that
record out there with all the IP addresses you know of. You can use online
Dig to find addresses for the servers your ISP gave you:

http://us.mirror.menandmice.com/knowledgehub/tools/dig

If they all come back pass, then you're on the right track.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sunday 14 January 2007 20:43, Scott Kimler wrote:

> Using a hosting provider, I have no real control over what IP address my
> email is sent from -ultimately, THEY determine that (and may change the
> servers, the IP range and server names).

The solution to this is to get them to publish a complete and correct SPF
record that they maintain and you include:.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
I thank everyone for their responses. I do not "blame" anyone for my confusion, though I'm disappointed to be confused. All I really wanted to do is find a way to stop wanker spammers from assuming my domain identity in their spammy email ... not open up a can of worms.

What I've learned so far: there is no optimal SPF record. If I use "a" my host could change servers, if I use "mx" then my host could redesignate servers, if I use ''ip4'' my host could change IP addresses. SPF records are a non-unique, partial solution to this problem. I get that.

It is becoming obvious that SPF is falling very short of the mark for authenticating email. Authentication tied to IP addresses isn't enough. My host provider has some 150 domains on our server. I have no idea how many shuttle email through the email servers, but it's got to be a bunch of people. So some SPAM operator, hosted by my hosting company, could use a PHONEY@randsco.com email address and blammo ... it'd PASS SPF scrutiny, because we happen to be using the same/shared email servers. (Not to mention the problems with email forwarding).

My frustration stems from the fact that there's no galvanizing answer or way to build an SPF record for someone, like myself, utilizing a hosting provider. It would seem that SPF is a solution mainly geared toward people who DO have control over their internet mail servers. A shame.

What assumptions am I making that are incorrect?

I do not expect my incoming and outgoing email servers to remain the same.
I do not expect my IP addresses to remain the same.
Heck, I do not even expect my server names or server designations to remain the same.

Please help me build an SPF record that stops spammers from stealing my domain's identity!






---------------------------------
Finding fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Confused: SPF record for randsco.com DNS? or SPF record for theirMailSever.com DNS?

If the former ... they DID provide one and I listed it in my first email (it has errors)

If the latter ... they've already told me that they were not willing to add an SPF record to the domains that they "included" in that first SPF record

If neither ... please explain

Scott Kitterman <scott@kitterman.com> wrote:

The solution to this is to get them to publish a complete and correct SPF
record that they maintain and you include:.

Scott K



---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
On Sun, 2007-01-14 at 22:02 -0800, Scott Kimler wrote:
> I thank everyone for their responses. I do not "blame" anyone for my confusion, though I'm disappointed to be confused. All I really wanted to do is find a way to stop wanker spammers from assuming my domain identity in their spammy email ... not open up a can of worms.
>
> What I've learned so far: there is no optimal SPF record. If I use "a" my host could change servers, if I use "mx" then my host could redesignate servers, if I use ''ip4'' my host could change IP addresses. SPF records are a non-unique, partial solution to this problem. I get that.
>
> It is becoming obvious that SPF is falling very short of the mark for authenticating email. Authentication tied to IP addresses isn't enough. My host provider has some 150 domains on our server. I have no idea how many shuttle email through the email servers, but it's got to be a bunch of people. So some SPAM operator, hosted by my hosting company, could use a PHONEY@randsco.com email address and blammo ... it'd PASS SPF scrutiny, because we happen to be using the same/shared email servers. (Not to mention the problems with email forwarding).
>
> My frustration stems from the fact that there's no galvanizing answer or way to build an SPF record for someone, like myself, utilizing a hosting provider. It would seem that SPF is a solution mainly geared toward people who DO have control over their internet mail servers. A shame.
>
> What assumptions am I making that are incorrect?
>
Hi Scott
I first set up my SPF record about two years ago. I send all email out
via my ISP mail servers. I asked the ISP for a list of all IP addresses
of its mail servers. They were quite obliging. (I only have 6 regular
users of my email service.)

The resulting txt record is "v=spf1 ip4:203.59.1.195/24 -all"

I have enabled SPF checking on my Postfix server. There are a number of
immediate benefits:
1. Any spammer sending email to me claiming to be someone@kajayr.com is
immediately rejected.
2. Anyone else doing SPF checking can safely reject email from
anyone@kajayr.com which does not arrive via my ISP's mail server.
3. I only accept bounce messages which arrive via my ISP servers, all
others are rejected, leaving the bouncing server to deal with them. This
accounts for all bounces generated by spam email.

I monitor my mail logs regularly, and occasionally check the IP address
of my ISP's mail server. When/if there is a change, I will request an
updated list of the ISP's mail servers.

I hope this will encourage you to persevere with your efforts to set up
your SPF records and do your own checking.

KAJAYR

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
> What I've learned so far: there is no optimal SPF record.

And there couldn't possibly be.

SPF is a mechanism for describing how you send mail. As there is no single
universal way of doing mail services - you send mail in an entirely
different way to me, for example - there can be no single universal
description of the way mail is sent.

> If I use "a"
> my host could change servers, if I use "mx" then my host could
> redesignate servers, if I use ''ip4'' my host could change IP addresses.

I think you're putting the cart before the horse.

Before getting bogged down in the minutiae of SPF syntax, I think you'd
benefit from writing down - in your own, natural language - how you would
describe your outbound mail systems. Pay particular attention to naming
those servers who *will* be sending on your behalf, those who *won't* be,
and those who might, but also send on behald of other people.

> SPF records are a non-unique, partial solution to this problem. I get
> that.

No - SPF records are a full solution to the problem they address.
Unfortunately, you're not yet in a position to deal with that problem.

> It is becoming obvious that SPF is falling very short of the mark for
> authenticating email.

Sorry, Scott. That might be obvious to you, but it is not at all obvious
to me.

> Authentication tied to IP addresses isn't enough.

It's not a FUSSP, if that's what you're saying.
http://www.claws-and-paws.com/fussp.html has a form (sadly, already filled
in) which covers a range of explanations of why a FUSSP is not possible...

> My host provider has some 150 domains on our server. I have no idea
> how many shuttle email through the email servers, but it's got to be a
> bunch of people. So some SPAM operator, hosted by my hosting company,
> could use a PHONEY@randsco.com email address and blammo ... it'd PASS
> SPF scrutiny, because we happen to be using the same/shared email
> servers.

This is cross-forgery. And I think you've misunderstood how to tackle it.

- If you suspect a server might be susceptible to such abuse - don't give
it a SPF PASS. I'd give it a SPF NEUTRAL.
- If you have any evidence of cross-forgery occurring, complain to your
provider. Generally speaking, they'll tackle this sort of problem very
quickly - if they don't, you picked the wrong hosting company.
- Mail servers for vanity domains rarely handle much traffic - my
approach is to run mail services from a mail machine physically housed
with the users. There's no need for it to be the same machine as runs the
web site.

> (Not to mention the problems with email forwarding).

Such probolems are easily solved - don't forward email. There are very few
reasons to.

> My frustration stems from the fact that there's no galvanizing answer or
> way to build an SPF record for someone, like myself, utilizing a hosting
> provider.

That's like saying that there's no way to build a French sentence to
describe which servers send your email. It's an incorrect statement - but
the problem isn't the language you use to describe the situation (whether
French, English, or SPF), it's the fact that you need to determine what
you want to say before you worry too much about how to say it.

> It would seem that SPF is a solution mainly geared toward
> people who DO have control over their internet mail servers.

Only in as much as those that control their mail servers have more control
over their mail - it's not that SPF only supports them, the reason the
scenario is easier is because they don't have to deal with other people
supplying them incomplete or incorrect information, and they don't have to
deal with other people changing the setup without informing them.

> What assumptions am I making that are incorrect?
>
> I do not expect my incoming and outgoing email servers to remain the
> same.

You *could* ensure that they are. This will mean a little thought, but you
might be able to convert to such a setup for no outlay.

> I do not expect my IP addresses to remain the same.

Which IP addresses? Your mailserver really ought to have a fairly stable
address.

> Please help me build an SPF record that stops spammers from stealing my
> domain's identity!

There are many people here who will help you - but to start with, *you*
need to sit down and write down what you want to say in your record. Then
one of us can help you with the SPF syntax.

Vic.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
RE: Optimize SPF TXT record [ In reply to ]
Vic <mailto:spf@beer.org.uk> wrote on Monday, January 15, 2007 5:49 AM:

>> My host provider has some 150 domains on our server. I have no idea
>> how many shuttle email through the email servers, but it's got to be
a
>> bunch of people. So some SPAM operator, hosted by my hosting
company,
>> could use a PHONEY@randsco.com email address and blammo ... it'd PASS
>> SPF scrutiny, because we happen to be using the same/shared email
>> servers.
>
> This is cross-forgery. And I think you've misunderstood how to tackle
it.
>
> - If you suspect a server might be susceptible to such abuse - don't
give
> it a SPF PASS. I'd give it a SPF NEUTRAL.

Syntactically, this would be something like:

v=spf1 ?ip4:207.218.208.0/24 -all

(note the "?" that means any IP in that range gets a Neutral result)

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- ...and Adam asked, "What's a Headache?"

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
RE: Optimize SPF TXT record [ In reply to ]
Scott Kimler <mailto:randsco101@yahoo.com> wrote on Monday, January 15,
2007 12:06 AM:

> If neither ... please explain
>
> Scott Kitterman <scott@kitterman.com> wrote:
>
> The solution to this is to get them to publish a complete and correct
SPF
> record that they maintain and you include:.

I'm not sure I understand your question, but what Scott was
trying to say was that the ideal solution would be for your ISP
(siteground126.com?) to publish a record for their customers to use via
an include: statement. Like so:

spf.siteground126.com TXT "v=spf1 ... -all"

randsco.com TXT "v=spf1 ?include:spf.siteground126.com -all"

Then if they change mail servers, they change their own SPF record and
that's all that needs to be changed.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- AAcckk!! II''mm iinn hhaallff dduupplleexx!!

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
RE: Optimize SPF TXT record [ In reply to ]
Steve,

Thank you for the explanation. You're right, I did not understand the question.

In an ideal world, that hosting solution would appear to be BEST.

While I could PROPOSE this solution to my hosting provider, I have no real control over (a) whether they DO it nor (b) whether they do it CORRECTLY.

I'm mostly concerned about (b), because my host initially provided me with the following SPF record:

v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com a:serv01.siteground126.com mx:randsco.com mx:siteground126.com mx:serv01.siteground126.com include:siteground126.com include:serv01.siteground126.com ~all

It was only after testing it, using Scott Kitterman's tools, that I began to realize that the record was not valid.

Sadly, though my understanding of SPF records is minimal, it is greater than that of my host (and I'm willing to learn). The one person concerned about the sanctity of my domain's name is ME.

Switching hosting providers may be in the offing (this isn't the first time that I've found their technical capabilities lacking). In the meantime, I still need an SPF record that will (hopefully) keep spammer from continuing to sully the randsco.com name.

Cheers,

-stk



Steve Yates <steve@teamITS.com> wrote:
Scott Kimler wrote on Monday, January 15,
2007 12:06 AM:

> If neither ... please explain
>
> Scott Kitterman wrote:
>
> The solution to this is to get them to publish a complete and correct
SPF
> record that they maintain and you include:.

I'm not sure I understand your question, but what Scott was
trying to say was that the ideal solution would be for your ISP
(siteground126.com?) to publish a record for their customers to use via
an include: statement. Like so:

spf.siteground126.com TXT "v=spf1 ... -all"

randsco.com TXT "v=spf1 ?include:spf.siteground126.com -all"

Then if they change mail servers, they change their own SPF record and
that's all that needs to be changed.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- AAcckk!! II''mm iinn hhaallff dduupplleexx!!

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?&


---------------------------------
Have a burning question? Go to Yahoo! Answers and get answers from real people who know.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
Re: Optimize SPF TXT record [ In reply to ]
Vic,

The reason I've concluded that SPF is only a partial solution to the problem is because:

1) For SPF to be a FULL solution, it requires 100% participation. ( I'd be curious to know what the %age participation rate is, currently, if anyone knows this. ) If it's not 100% adopted, it's not a full solution, IMO.

2) SPF is IP-based, matching envelope from domain SPF records (sanctioned IP's) -vs- the actual mail server that sent the mail.

I see several problems with an IP-related technique. Because hosts handle the intricacies of mail server set-up for their clients ... mail server domain names, designations and IP addresses COULD change. If they did, legitimate mail may not reach its destination (unless hosts informed clients of the change, or clients found out about the change and updated their SPF records. Hosts typically doesn't report changes they make to clients, so they have to find out ... HOW? After an important email fails to reach its destination?)

PLUS, the possibility of (as you call it) "cross-forgery", though (like you say) I don't really think this would be a problem and if I found out, I'd certainly complain and possibly switch hosts. I only mention it as a possibility, plus the concern ... HOW would I find out? Only AFTER someone sends mail to abuse@randsco.com?

3) Possibility of SPAMMER work-a-round. I have know idea how fool-proof is the SPF concept, but for it to be a FULL solution, spammers couldn't defeated it. (i.e., don't know if it's currently possible, but since the SPF record is public, couldn't a spammer look it up and then spoof emails and also spoof IP addresses within the SPF record?)




---------------------------------
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

1 2 3  View All