SPF: How to..

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • sdjl
    Senior Member
    • Mar 2004
    • 502

    SPF: How to..

    I thought i'd give something back to the community here at Dathorn and what better to give than a basic tutorial on how to setup an SPF record for any of your accounts that you're hosting

    In a nutshell, what does SPF do? (link)
    Suppose a spammer forges a hotmail.com address and tries to spam you.

    He connects from somewhere other than hotmail.

    When his message is sent, you see MAIL FROM: forged_address@hotmail.com, but you don't have to take his word for it. You can ask Hotmail if the IP address comes from their network.

    (In this example) Hotmail publishes an SPF record. That record tells you (your computer) how to find out if the sending machine is allowed to send mail from Hotmail.

    If Hotmail says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it's a forgery. That's how you can tell it's probably a spammer.

    Sounds quite simple doesn't it! It really is quite easy to setup an SPF record too. Provided you have DNS control over the domain names that you host, it's as easy as adding a simple line to the zone file via WHM.
    On to the juicy bit...

    The hardest part about creating an SPF record, is working out the right combination of letters and words to portray the right message to the mail servers that your domain names send email to.
    This is where i would like to present OpenSPF. They provide an easy to use wizard which helps in the creation of an SPF record.

    If i use the wizard from OpenSPF, i get the following for my domain name:
    Code:
    "v=spf1 a mx include:easydns.com ~all"
    Ok, so what does this code actually mean?
    This is how OpenSPF explains it (the easiest explanation i've found!)


    So what do those characters before "all" represent?

    - fail: this indicates that if none of the preceding mechanisms match, the email should be refused, as it comes from an invalid mailserver

    ~ softfail: this still indicates a fail, but that the email should not be refused on that basis but rather flagged as having failed the SPF check. This is useful for "rollout," the early stages of implementing SPF when the domain holder is not entirely sure how it is going to work, or for sorting failed email into a different folder.

    ? neutral: this indicates that SPF is being checked for reasons other than blocking email, and that nothing different should be done with the email on the basis of passing or failing the SPF check. It may be checked for statistics or other analysis, or it may be acted on by a subsequent process like the mail reader, but the mailserver itself does nothing differently based on the results of the SPF check.

    I still have my SPF record setup with a ~ as i'm still "rolling" this out!

    So where do i add this SPF text record?
    This parts the easy bit, you need to have DNS zone editing enabled in WHM first though.
    Once that is done, you need to click on "Edit DNS Zone" from the navigation menu.
    Choose the domain name which you would like to add your SPF text record to and then click submit.
    Scroll right to the bottom where you should have some empty text fields and simply add your record in the same manner as this image shows. (Remember those " quote " tags around the record!)


    All you have to do now is click save and you're done

    To test your SPF record, go to the following URL and email one of the automated email checkers: http://www.openspf.org/faq.html#checkers

    I'm sorry for it being such a long post, but i always like to understand how something works before implementing it.

    Comments and suggestions are welcomed.

    David
    -----
    Do you fear the obsolescence of the metanarrative apparatus of legitimation?
  • sdjl
    Senior Member
    • Mar 2004
    • 502

    #2
    I forgot to mention in the above thread that you can quite easily edit your zone templates to include a basic SPF record for new accounts created.

    I use this in my "standard zone template".
    Code:
    %domain%. IN TXT "v=spf1 a mx ~all"
    Good luck

    David
    -----
    Do you fear the obsolescence of the metanarrative apparatus of legitimation?

    Comment

    • mdmcginn
      Junior Member
      • Mar 2004
      • 22

      #3
      Thanks! I used your example.

      I found that "v=spf1 a mx mx:cpanelxx.gzo.com ~all" worked best for me, since I only use my Dathorn SMTP mailservers, not my ISP's, and the cpanel server name is what appears in mail headers for all my domains.

      Comment

      Working...