Setting up SPF on shared hosting
February 3, 2006 8:09 AM   Subscribe

An AskMefi question today about joe-job spam has me interested in setting up a preventative SPF record for my business server, which is a hosted domain at Dreamhost. However I do all my mail through my home DSL, connecting via SMTP to my domain at Dreamhost. Is an SPF record a viable solution? Can I put in a range of my ISP's addresses to whitelist them in SPF?

I looked at OpenSPF's wizard and am overwhelmed by all the mx, ptr, a:, ip4:, etc questions it asks; it looks too dangerous to mess around with. I tried the Dreamhost support boards but questions about SPF there are unanswered; their Wiki is nonspecific. I also wonder how long it takes for a change to propagate, in case my server moves.
posted by hodyoaten to Computers & Internet (4 answers total)
 
The IP address range for DSL connections your home ISP isn't an issue as long as you aren't running your own mailserver at the end of your DSL connection.

If I were you, I wouldn't worry about IP#s at all. Most of what you need to do with SPF can be done using hostnames and domain names.

This is my SPF record:

"v=spf1 a mx ptr a:relay.pair.com a:uinus.pair.com a:mail.oz.net include:oz.net include:pair.com, ?all"

Broken down:
"a:relay.pair.com a:uinus.pair.com a:mail.oz.net"

My web and e-mail host is pair.com. Their primary server for outgoing mail is relay.pair.com, but there was a possibility that mail could go out from the machine hosting my website (uinus).

My ISP is oz.net. When I send mail from home, my mail client is set to use mail.oz.net as its SMTP server.

Next up "include:oz.net include:pair.com"
This is a catchall because I was too lazy to track down the other servers that might be used if, for example, I used webmail at oz or pair.

Finally: "?all" means that this SPF record doesn't neceesarily represent all the machines that can convey mail for geekfun.com. Interpretation is left up to the receiving e-mail server. My intent here is to signal that while mail matching this SPF record is likely to be legit, mail that doesn't match isn't necessarily bogus.

This isn't the tightest SPF record, there are various ways that it can be abused, but to the extend receivers are paying attention to SPF records, it reduces the opportunity for random abuse of geekfun.com as a forged sender address.

Why don't you take your best stab at an SPF record with the OpenSPF wizard and post it here if you want a second opinion on what it will do. It isn't going to have any effect until you manually add it to your DNS anyway.
posted by Good Brain at 8:44 AM on February 3, 2006


SPF is just a different kind of DNS record. IP addresses are A records; nameservers are listed with NS records. SPF uses a TXT record, which is sort of a generic catchall. So the 'length of time to update' depends purely on how long you set your DNS cache time to be. Generally, I shorten my TTL (time to live) to about 30 minutes before making a major change... and wait long enough for that change to propagate. (In other words, if your normal timeout is a week.... set it to 30 minutes a week before making any major changes.)

Since you're sending all your mail through a specific machine... if that machine is also receiving your mail, you might be able to get away with this line:

$ORIGIN yourdomain.com.
@ IN TXT "v=spf1 mx"


(The @ sign is a shortcut for 'yourdomain.com'.... @ is whatever the $ORIGIN is presently set to. $ORIGIN is handy, look it up if you manually edit zone files. Note: the trailing period after .com is absolutely crucial. If you are editing the zone file yourself, you must include it. This is a general DNS thing, not a specific SPF requirement.... a trailing period means an 'absolute' address. Leaving the period off implies a 'relative' address.... so the current $ORIGIN is tacked onto the end.)

This SPF record means: "any server listed in my DNS with an MX (mailserver) record is allowed to send mail".

As long as you route all mail for the domain through your listed mailservers, that line should work fine. If you change mailservers, just change or add MX records. Make sure, however, that you only list real mailservers this way, or you could lose data.

If you need to be able to send from hosts that can't receive mail, you'll need more advanced syntax. But from the sound of it, that line might be enough for you.
posted by Malor at 9:30 AM on February 3, 2006


Unless you're planning on using "-all" (and not "~all") I wouldn't bother with SPF. It's usefulness has been way overhyped, and several very large mail service providers that have had SPF records for years have actually stopped publishing them recently as a sign of their dissatisfaction with Meng Wong and the whole situation.
posted by Rhomboid at 8:50 PM on February 3, 2006


SPF is very useful if you ever try to send mail to someone with, say, a Hotmail account.
posted by kindall at 10:29 PM on February 3, 2006


« Older managing synched itunes libraries   |   How to automatically remove duplicates from a... Newer »
This thread is closed to new comments.