1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

SPF = Sender Policy Framework

Discussion in 'Plesk for Linux - 8.x and Older' started by Pallieter, Oct 6, 2005.

  1. Pallieter

    Pallieter Guest

    0
     
    We have the latest Plesk running on a Fedore Core 2 server that maintains its own DNS (ns1.machine + ns2.machine) and want to setup SPF records (see: http://spf.pobox.com/ ) for all our domains. Our domains are on the same shared IP address and each use their own pop.domain and smtp.domain to receive/send their email.
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    If you are running Plesk 7.5.3 or 7.5.4 you can add a TXT record to the domain's DNS in the Plesk Control Panel.

    First go to pobox.com and use their wizard to get the record contents as you wish them to be.

    Then use that when creating the TXT record for the domain.
     
  3. Pallieter

    Pallieter Guest

    0
     
    The wizard is too complex?

    I will send in some suggestions to POBox to improve the wizard - but in the mean time: for the above situation, what would the SPF record be?
     
  4. Pallieter

    Pallieter Guest

    0
     
    Alex from SPF.POBox.com said this:

    > Can you add some sample SPF records
    > and add an image with text that
    > explains the SPF record?

    No pictures, sorry.

    First of all: your probably mean ZONEs where you wrote DOMAINs.
    Example: mail.domain.org is a domain. domain.org is a domain.
    www.domain.org is a domain.
    Only domain.org is a zone. This zone contains all these domains (and possibly more).

    You want to protect domains, not zones.

    domains are used in:
    MAIL FROM
    HELO or EHLO

    Your mailserver will announce its name on outbound connections. It MUST use its fully qualified domain name (FQDN) when doing so. This name you want to protect, so you're going to have an SPF record for it.

    Then, for each different domain:
    Your mailserver will say "MAIL FROM:<...@....>". The domain name, behind the @, you also want to protect.

    Every domain that has a CNAME record associated with it must NOT have an SPF record. That's something technical, just don't do it. The place where the CNAME record is pointing to does need a record. Example:
    www.domain.org CNAME domain.org. so you do NOT have an SPF record for www.domain.org. and you DO have a record for domain.org.

    So far:

    pop.domain.org. TXT v=spf1 ip4:1.2.3.4 -all
    smtp.domain.org. TXT v=spf1 ip4:1.2.3.4 -all
    domain.org. TXT v=spf1 ip4:1.2.3.4 -all
    etc.
    (of course: use your IP address)

    Most if not all of your records are going to be the same. When the ip address changes, you'd need to alter all records. There's a better solution:

    domain.org. TXT v=spf1 ip4:1.2.3.4 -all
    pop.domain.org. TXT v=spf1 redirect:domain.org
    smtp.domain.org. TXT v=spf1 redirect:domain.org
    mail.other.... TXT v=spf1 redirect:domain.org
    etc.

    now you need to change only one record and others are changed automatically.

    This should give you an idea. Make sure you understand what you are doing. Do not stop at reading http://spf.pobox.com/ but also read http://spf.pobox.com/mechanisms.html and other useful information on that site.
     
Loading...