Quantcast

SPF best practices

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SPF best practices

freeline
Hello,

I know this topic is not really postfix related but advice would
nevertheless be appreciated.

I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.

Thanks
Volker
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SPF best practices

Philip Paeps
On 2017-05-09 14:22:39 (+0200), Volker Cordes <[hidden email]> wrote:
>I know this topic is not really postfix related but advice would
>nevertheless be appreciated.

This is definitely more appropriate for another mailing list.

>I'm adding a second mail server to my setup, my domains are
>spf-protected by this simple entry:
>
>v=spf1 mx -all
>
>If I add second DNS A entry for my MX server will this still work or do
>I have to list ips individually? Or should I create multiple MX entries?
>The reason I don't want to do that in the first place is that there are
>a lot of domains and I'd have to set the entries manually.

Note that MX records list servers that *receive* email while SPF records
list servers that *send* email.

As far as SPF is concerned, adding an extra A record to the host pointed
to by the MX record will just work but that's usually not what you want
with respect to your receiving mail servers.  If that server will not be
receiving mail, it's definitely the wrong thing to do.

I prefer to list individual IPs in my SPF records.

If you don't want to maintain many SPF records, look into creating an
_spf.example.com SPF record and including it in your various domains.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SPF best practices

chaouche yacine
In reply to this post by freeline
Hello Volker,

What you need to do is tell other mail servers that they should accept mail from server2 on behalf of server1.

If server1 is server1.yourdomain.com
and server2 is server2.anotherdomain.com

then you should list anotherdomain.com in your spf. If server2 doesn't have a domain name, you can add its IP.
If it's already listed in your MX for yourdomain.com, then you don't need to change anything.
If you have an A record for yourdomain.com that points server2's IP (shouldn't be), you need to add A to your spf string (v=spf1 mx a ~all).

  -- Yassine.




On Tuesday, May 9, 2017 1:24 PM, Volker Cordes <[hidden email]> wrote:


Hello,

I know this topic is not really postfix related but advice would
nevertheless be appreciated.

I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.

Thanks
Volker


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SPF best practices

Scott Kitterman-4
In reply to this post by freeline


On May 9, 2017 8:22:39 AM EDT, Volker Cordes <[hidden email]> wrote:

>Hello,
>
>I know this topic is not really postfix related but advice would
>nevertheless be appreciated.
>
>I'm adding a second mail server to my setup, my domains are
>spf-protected by this simple entry:
>
>v=spf1 mx -all
>
>If I add second DNS A entry for my MX server will this still work or do
>I have to list ips individually? Or should I create multiple MX
>entries?
>The reason I don't want to do that in the first place is that there are
>a lot of domains and I'd have to set the entries manually.

The spf-help mailing list would be a much better place to ask this.  See http://www.openspf.org/Forums

Scott K
Loading...