Re: PTR Records

Thanks for the info, Hector. I do appreciate your help!

"Hector Santos" <nospamhere@xxxxxxxxxxxxxx> wrote in message
news:e3kIV2R9FHA.636@xxxxxxxxxxxxxxxxxxxxxxx
> MC,
>
> As an author of a SMTP package and an early adopter of SPF, I offer this
> advice:
>
> If you have just two sending machines, then that's all you need in your
> SPF
> records for the email domain: cowetaschools.net
>
> v=spf1 ip4:exch2000_machine_ip1 ip4:exch2000_ip1 -a
>
> You do the SPF world a big favor by offering a lower overhead IP4
> resolution, rather than having A, MX, PTR lookups if you don't have to.
> The
> more direct the better.
>
> The -a is a hard pass/fail result, offers the most optimal spoof
> protection.
>
> But you can run into forwarding problems if the sending machines are known
> to be sending to forwarding or relay machines or your users use aliases
> name, you can have this problem.
>
> So the relaxation is a softfail (~a) or neutral (?a) results. This is
> ok, but keep in mind this puts wasted overhead pressure on SPF receiver
> machines who do this check only to end up with a wasted result since a
> SOFTFAIL or NEUTRAL will keep any additional checking using other email
> security techniques activated.
>
> In addition, spammers have long learned to exploit relaxed SPF policy
> domains. In other words, they will continue to use your domain with its
> relaxed SPF policy, but not mine since we use exclusive,hard SPF PASS/FAIL
> policy.
>
> As sending machines, IDEALLY, each should have its own unique A/PTR pair
> of
> records.
>
> dewey1
> dewey2
>
> You can use just "dewey" but then you need to make sure that you have two
> A
> records and two PTR records.
>
> However, using dewey, conflicts with the MX record you currently have
> "dewey.cowetaschools.net" which you say is a different RECEIVE Only
> machine. Not sender.
>
> So you should use another host name, and the most common is to use "mail."
>
> So you have 3 machines IP1, IP2, IP3, where IP3 is the receiver only. IP1
> and IP2 is the sender only:
>
> cowetaschools.net --> MX record mail.cowetaschools.net
> mail.cowetaschools.net --> A record for IP3
> dewey1.cowetaschools.net --> A record for IP1
> dewey2.cowetaschools.net --> A record for IP2
>
> finally, to complete the SPF picture:
>
> The SPF record above is for the email domain, cowetaschools.net.
>
> You should also have one for each CLIENT machine host name:
>
> For dewey1.cowetaschools.net:
>
> v=spf1 ip4:ip1_address -a
>
> For dewey2.cowetaschools.net:
>
> v=spf1 ip4:ip2_address -a
>
> That's the skinny. Hope this helps.
>
> ---
> Hector Santos
> Santronics Software, Inc.
> http://www.santronics.com
> http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
> http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)
>
>
> "MC" <mccato@xxxxxxxxxxx> wrote in message
> news:OjxjAhR9FHA.2696@xxxxxxxxxxxxxxxxxxxxxxx
>> I'm sorry to be so difficult, and I really appreciate you sticking with
>> me
>> on this! The name change was a goof - I used the wrong IP. Were are you
>> seeing that? Maybe I can check that for myself next time. Hopefully
>> that's
>> corrected now.
>>
>> We don't send mail as the other domain names - we just receive mail as
> them.
>> Mail only goes out as cowetaschools. net; so do I still need an SPF
>> record
>> for those domains? This got really confusing when the domain was set up
>> as
>> .net but someone decided we needed to be able to receive email as .org,
> too.
>> They added the .com just for kicks, I guess.
>>
>> Thanks
>>
>> "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
>> news:eBd1OTR9FHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
>> > MC <mccato@xxxxxxxxxxx> wrote:
>> >> Sorry, yes, we have 3 mail servers. But dewey is the only server that
>> >> receives mail for our domain. The other ones (Exchange 2000) send
>> >> mail, though. Does that complicate matters?
>> >
>> > Yes, it does complicate matters, and is at least one reason why your
>> > having
>> > trouble with AOL and Compuserve, the SPF should fix that. Just make
>> > sure
>> > you
>> > have a SPF record for all hosted mail domains.
>> >
>> > Now it looks like you changed the HELO name of the mail server, you
>> > need
>> > to
>> > change that back to dewey.cowetaschools.net. It is very important this
> be
>> > done just right, or you'll have the same problems you've had in the
> past.
>> > See:
>> > dewey.cowetaschools.net claims to be host cowetaschools.net [but that
> host
>> > is at 168.9.128.18, not 168.9.128.29].
>> >
>> >
>> >> I did include all of them
>> >> in the SPF record; but I didn't include any PTR info in the SPF
>> >> record. Should I include that?
>> >
>> > Any mail server that sends mail for your domains needs to be in the SPF
>> > and
>> > have a PTR. The SPF needs to be added to all your domains, not just the
>> > default domain. Any domain name that these mail servers send mail for
>> > needs
>> > the same SPF record.
>> >
>> > It looks like you only added one SPF record. Add the SPF to the rest of
>> > the
>> > domains, use the same text in each SPF.
>> >
>> >> Since only dewey receives mail, I
>> >> should just leave the one MX record, right?
>> >
>> > If dewey is the only server that recives mail it should be the only MX.
>> >
>> >
>> >
>> >
>> > --
>> > Best regards,
>> > Kevin D. Goodknecht Sr. [MVP]
>> > Hope This Helps
>> > ===================================
>> > When responding to posts, please "Reply to Group"
>> > via your newsreader so that others may learn and
>> > benefit from your issue, to respond directly to
>> > me remove the nospam. from my email address.
>> > ===================================
>> > http://www.lonestaramerica.com/
>> > http://support.wftx.us/
>> > https://secure.lsaol.com/
>> > ===================================
>> > Use Outlook Express?... Get OE_Quotefix:
>> > It will strip signature out and more
>> > http://home.in.tum.de/~jain/software/oe-quotefix/
>> > ===================================
>> > Keep a back up of your OE settings and folders
>> > with OEBackup:
>> > http://www.oehelp.com/OEBackup/Default.aspx
>> > ===================================
>> >
>> >
>>
>>
>


.

Relevant Pages

  • Re: PTR Records
    ... If you have just two sending machines, then that's all you need in your SPF ... >>> Sorry, yes, we have 3 mail servers. ...
    (microsoft.public.windows.server.dns)
  • SMTP "authentication" (was: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky)
    ... > SMTP authentication will likely cut this stuff down to a trickle ... I really think you (and all the SPF, ... quickly get the ISPs to shut those machines down because we can prove ... salient point that the ISPs have entirely failed to ...
    (Full-Disclosure)
  • Re: PTR Records
    ... > As an author of a SMTP package and an early adopter of SPF, ... > But you can run into forwarding problems if the sending machines are ... > The SPF record above is for the email domain, ... please direct all replies ONLY to the Microsoft public newsgroup ...
    (microsoft.public.windows.server.dns)
  • Re: How to implement SPF
    ... > I have been asked to add a specific SPF entry to my dns ... > sending email on behalf of us. ... Will I have to add an SPF record for my ... If you do not have your mail server listed in the SPF record, ...
    (microsoft.public.win2000.dns)
  • Re: SPF record question
    ... > inclined to say that it will hardly help in reducing spam ... mail server that is valid to receive mail for the mail domain if SPF is ... effort by mail server administrators to not only enforce SPF, ... The biggest problem is that much of the bulk unsolicited email originates ...
    (microsoft.public.windows.server.dns)
Loading