SPF - question

[kram@]

Hello All,

I am having a minor problem with SPF, I am quite sure it is a simple config error, that I hope somebody can help me resolve.

Everyday, I receive a set of emails via a forged email address (My own).
I have the following SPF record configured for my domain.

TXT v=spf1 a mx a:webhost.2large.co.za a:webhost2.2large.co.za exists:saix.net -all

Global Server Settings
SPF Checking Mode: Reject Mail when SPF resolves to "soft fail"
SPF guess rules: v=spf1 +a +mx -all

When I visit: http://www.vamsoft.com/spfcheck.asp
To test the SPF record, I enter a bogus server address with a valid email address, and it passes the mail!?

Any suggestions??

 

[Peter (Vamsoft)]

This is because "exists:saix.net" will match always if there is a DNS A record for saix.net (see SPF RFC 4408 section 5.7 "exists"), and there is such record. Due to this, your SPF policy certifies that any IP may send in your name, as long as an A record for saix.net exists. Removing the "exists" part will fix this problem. You can always check the SPF evaluation log on our website (next to the SPF Pass result, there is a "Show/Hide Log" link).

Typically, the argument of an "exists" mechanism is a macro expression, which allows the administrator to set up complex policies, e.g. describing what email addresses are valid for a given domain.

Peter/Vamsoft.com

 

[kram@]

Thanks Peter,

I have made the change as suggested, will do some tests on your site once the DNS updates.