headers
Kenneth Roberts | 18 Jul 19:12

Who is Designated in SPF Record

I am having a little problem understanding who is suppose to be 
designated in the SPF record. Is it:

    - all hosts in that domain who are authorized to send email?

    - or the email server that they are authorized to use?

kr
Permalink | Reply |
headers
Rob MacGregor | 19 Jul 20:26

Re: Who is Designated in SPF Record

On Fri, Jul 18, 2008 at 18:13, Kenneth Roberts <kr <at> ibn2.com> wrote:
> I am having a little problem understanding who is suppose to be designated
> in the SPF record. Is it:
>
>   - all hosts in that domain who are authorized to send email?
>
>   - or the email server that they are authorized to use?

All the mail servers the send mail on behalf of the domain.

--

-- 
Rob MacGregor
 Whoever fights monsters should see to it that in the process he
 doesn't become a monster. Friedrich Nietzsche
Permalink | Reply |
headers
Kenneth Roberts | 19 Jul 22:53

Re: Who is Designated in SPF Record

We initially set up our SPF records by listing the ip addresses of all 
of the email servers that sent mail for each domain but our mail was 
bounced.

Our email servers are multi-honed and NAT, therefore the actual internal 
IP address on the server is translated to one of 3 actual public 
addresses for outgoing mail delivery.

The WAN side addresses were included in our SPF records, but our mail is 
failing.  What have we done wrong?

Kenn

Rob MacGregor wrote:

>On Fri, Jul 18, 2008 at 18:13, Kenneth Roberts <kr <at> ibn2.com> wrote:
>  
>
>>I am having a little problem understanding who is suppose to be designated
>>in the SPF record. Is it:
>>
>>  - all hosts in that domain who are authorized to send email?
>>
>>  - or the email server that they are authorized to use?
>>    
>>
>
>All the mail servers the send mail on behalf of the domain.
>
>
(Continue reading)

Permalink | Reply |
headers
Rob MacGregor | 19 Jul 23:13

Re: Who is Designated in SPF Record

On Sat, Jul 19, 2008 at 21:53, Kenneth Roberts <kr <at> ibn2.com> wrote:
> We initially set up our SPF records by listing the ip addresses of all of
> the email servers that sent mail for each domain but our mail was bounced.
>
> Our email servers are multi-honed and NAT, therefore the actual internal IP
> address on the server is translated to one of 3 actual public addresses for
> outgoing mail delivery.
>
> The WAN side addresses were included in our SPF records, but our mail is
> failing.  What have we done wrong?

Without the name of the domain, and one of those bounce messages (in
full) there's no way of knowing.

--

-- 
Rob MacGregor
 Whoever fights monsters should see to it that in the process he
 doesn't become a monster. Friedrich Nietzsche
Permalink | Reply |
headers
Frank Ellermann | 19 Jul 21:38

Re: Who is Designated in SPF Record

Kenneth Roberts wrote:

> I am having a little problem understanding who is suppose to
> be designated in the SPF record.

Rob already answered your question, and it should be obvious:

A receiver gets MAIL FROM you, allegedly.  The only reliable 
info from the receiver's POV is the sending IP, and your SPF
record when you publish a policy.  

Therefore your SPF record has to permit all IPs really sending
MAIL FROM you, from a receiver's POV.  You can permit more IPs,
e.g., if that simplifies your SPF record, but not less.

 Frank
Permalink | Reply |
headers
Kenneth Roberts | 19 Jul 23:31

Re: Re: Who is Designated in SPF Record

Frank:

    Thank you for your response. I have provided below more information 
pertaining to our SPF problem.

Kenn  

Frank Ellermann wrote:

>Kenneth Roberts wrote:
>
>  
>
>>I am having a little problem understanding who is suppose to
>>be designated in the SPF record.
>>    
>>
>
>Rob already answered your question, and it should be obvious:
>
>A receiver gets MAIL FROM you, allegedly.  The only reliable 
>info from the receiver's POV is the sending IP,
>
What is the sending IP, the address of the email server or the address 
of the host originating the mail?

> and your SPF
>record when you publish a policy.  
>  
>
(Continue reading)

Permalink | Reply |
headers
Rob MacGregor | 20 Jul 00:24

Re: Re: Who is Designated in SPF Record

On Sat, Jul 19, 2008 at 22:31, Kenneth Roberts <kr <at> ibn2.com> wrote:
>
> What is the sending IP, the address of the email server or the address of
> the host originating the mail?

The mail server.  If the recipient server is B and your server is A,
then server B is only validating the IP address of server A.

> We publish a policy that listed the WAN IP addresses of our multi-honed  NAT
>  email server and our mail bounced.

And the full bounce message would be?

--

-- 
 Please keep list traffic on the list.

Rob MacGregor
 Whoever fights monsters should see to it that in the process he
 doesn't become a monster. Friedrich Nietzsche
Permalink | Reply |
headers
Frank Ellermann | 20 Jul 02:02

Re: Who is Designated in SPF Record

Kenneth Roberts wrote:

> What is the sending IP, the address of the email server
> or the address of the host originating the mail?

You need all IPs of hosts talking to me when you send
mail to me.  You have already found out that these IPs
must be public IPs, not the private IPs behind NAT in
a LAN.

After that it depends, if you send mails always using
one mail provider, e.g., Google Apps, then you need
the sending IPs of Google Apps.  They make that easy,
you can include their policy in your policy, compare
<http://www.openspf.org/Frank_Ellermann/Google>

Extending that example, maybe you sometines also send
mails directly from your "originating hosts" without
using a mail provider such as Google Apps.

Then you'd add the IPs of these hosts to your record.
Because you are in a NATted LAN you'd use the public
IP(s) of this LAN.  If this public IP changes often
you likely use DynDNS or a similar provider for your
domain.  Then you can write a:your.domain.example in
your SPF record, that covers the public address(es)
of your domain, IPv4 and IPv6.

Putting it all together (Google Apps and your hosts)
you could arrive at (TXT for your.domain.example.):
(Continue reading)

Permalink | Reply |

Gmane