Setting up SPF in Postfix for sending

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up SPF in Postfix for sending

Rob Tanner
I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it.  And the dearth of information in that category also begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups?  What is it, besides adding the correct the DNS TXT records, do I need to do on my end.

Thanks,
Rob
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Titanus Eramius
Thu, 15 Aug 2013 22:56:53 -0700 skrev Rob Tanner <[hidden email]>:

> I've googled around a quite a bit and while I can find lots of
> instruction on what I need in order for Postfix to validate incoming
> mail, I find nothing about what I need to do to make sure Postfix
> does whatever it needs to do to make sure the MTA receiving the mail
> validates it.  And the dearth of information in that category also

You can't, since it's up to the receiver to do whatever checks they
wish. That includes SPF.

> begs the question, is there a special header that Postfix need to
> include in the message (as in DKIM) or do the receiving MTAs, if
> they're setup to use SPF just automatically do the DNS lookups?  What
> is it, besides adding the correct the DNS TXT records, do I need to
> do on my end.

Nope, nothing to setup in Postfix to support SPF on outgoing mail,
besides making sure the TXT / SPF record matches the sending server. I
tend to simply use "v=spf1 mx -all" since my setup is simple, but you
can see the entire syntax here
http://www.openspf.org/SPF_Record_Syntax

> Thanks,
> Rob

Cheers
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Stan Hoeppner
In reply to this post by Rob Tanner
On 8/16/2013 12:56 AM, Rob Tanner wrote:
> I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it.  And the dearth of information in that category also begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups?  What is it, besides adding the correct the DNS TXT records, do I need to do on my end.

Nothing else.  Just the TXT record in DNS.  This should have been clear
to you after reading the receiver side requirements, i.e. how the
receiver checks SPF records.

--
Stan


Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

btb-2
In reply to this post by Rob Tanner
On Aug 16, 2013, at 01.56, Rob Tanner <[hidden email]> wrote:

> What is it, besides adding the correct the DNS TXT records

as there is a formal dns rr type for spf defined in rfc4408, you'll of course want to include that as well.

-ben
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Scott Kitterman-4


[hidden email] wrote:
>On Aug 16, 2013, at 01.56, Rob Tanner <[hidden email]> wrote:
>
>> What is it, besides adding the correct the DNS TXT records
>
>as there is a formal dns rr type for spf defined in rfc4408, you'll of
>course want to include that as well.

I wouldn't bother. It has only very limited deployment and is proposed for removal in the revision to RFC 4408 that is about to enter IETF last call.

The is, however,  unrelated to postfix.  Either spf-discuss or spf-help would be appropriate. See www.openspf.org/Forums for information about these lists.

Scott K

Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

btb-2
On Aug 16, 2013, at 15.06, Scott Kitterman <[hidden email]> wrote:

> I wouldn't bother. It has only very limited deployment and is proposed for removal in the revision to RFC 4408 that is about to enter IETF last call.

interesting.  thank you for calling attention to this.

-ben
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Hans Spaans
In reply to this post by Scott Kitterman-4
Scott Kitterman schreef op 2013-08-16 21:06:

> [hidden email] wrote:
>> On Aug 16, 2013, at 01.56, Rob Tanner <[hidden email]> wrote:
>>
>>> What is it, besides adding the correct the DNS TXT records
>>
>> as there is a formal dns rr type for spf defined in rfc4408, you'll of
>> course want to include that as well.
>
> I wouldn't bother. It has only very limited deployment and is proposed
> for removal in the revision to RFC 4408 that is about to enter IETF
> last call.

You may want to check thread "9.3.3 - SPF record checks" from May 30
2013 on the bind-users mailinglist.

Hans
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Scott Kitterman-4
On Saturday, August 17, 2013 12:16:03 Hans Spaans wrote:

> Scott Kitterman schreef op 2013-08-16 21:06:
> > [hidden email] wrote:
> >> On Aug 16, 2013, at 01.56, Rob Tanner <[hidden email]> wrote:
> >>> What is it, besides adding the correct the DNS TXT records
> >>
> >> as there is a formal dns rr type for spf defined in rfc4408, you'll of
> >> course want to include that as well.
> >
> > I wouldn't bother. It has only very limited deployment and is proposed
> > for removal in the revision to RFC 4408 that is about to enter IETF
> > last call.
>
> You may want to check thread "9.3.3 - SPF record checks" from May 30
> 2013 on the bind-users mailinglist.

He's wrong about what most SPF libraries do.  Most don't query for the RR type
at all, but we'll see how the IETF last call works out.  It is a matter of
some controversy.

Thanks,

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Setting up SPF in Postfix for sending

Michael Grimm
In reply to this post by Titanus Eramius
On 16.08.2013, at 08:50, Titanus Eramius <[hidden email]> wrote:

[DNS]

> I tend to simply use "v=spf1 mx -all" since my setup is simple, but you
> can see the entire syntax here http://www.openspf.org/SPF_Record_Syntax

Hmm, I used to have just that configuration in my DNS for more than a year,
but very recently I got some rejections upon delivery of mails from my
published mx records (mx1.my-domain.tld and mx2.my-domain.tld) in DNS stating:

| An SPF-enabled mail server rejected a message from a mail server claiming
| to be mx1.my-domain.tld.
|
| An SPF-enabled mail server received a message from mx1.my-domain.tld (1.2.3.4)
| from a mail server claiming to be mx1.my-domain.tld.
|
| The domain mx1.my-domain.tld has not published an SPF policy. It is possible
| that the receiving mail server refuses all mail from domains that do not have
| an SPF policy.

I do understand http://www.openspf.org/SPF_Record_Syntax that the "mx" in
"v=spf1 mx -all" will tell: "Accept mail from *any* published mx of a given
domain", right?

For he time being (before I really do understand SPF) I'm back to run DNS
without SPF, shrug.

Regards,
Michael