Re: PTR Records

MC,

As an author of a SMTP package and an early adopter of SPF, I offer this
advice:

If you have just two sending machines, then that's all you need in your SPF
records for the email domain: cowetaschools.net

v=spf1 ip4:exch2000_machine_ip1 ip4:exch2000_ip1 -a

You do the SPF world a big favor by offering a lower overhead IP4
resolution, rather than having A, MX, PTR lookups if you don't have to. The
more direct the better.

The -a is a hard pass/fail result, offers the most optimal spoof protection.

But you can run into forwarding problems if the sending machines are known
to be sending to forwarding or relay machines or your users use aliases
name, you can have this problem.

So the relaxation is a softfail (~a) or neutral (?a) results. This is
ok, but keep in mind this puts wasted overhead pressure on SPF receiver
machines who do this check only to end up with a wasted result since a
SOFTFAIL or NEUTRAL will keep any additional checking using other email
security techniques activated.

In addition, spammers have long learned to exploit relaxed SPF policy
domains. In other words, they will continue to use your domain with its
relaxed SPF policy, but not mine since we use exclusive,hard SPF PASS/FAIL
policy.

As sending machines, IDEALLY, each should have its own unique A/PTR pair of
records.

dewey1
dewey2

You can use just "dewey" but then you need to make sure that you have two A
records and two PTR records.

However, using dewey, conflicts with the MX record you currently have
"dewey.cowetaschools.net" which you say is a different RECEIVE Only
machine. Not sender.

So you should use another host name, and the most common is to use "mail."

So you have 3 machines IP1, IP2, IP3, where IP3 is the receiver only. IP1
and IP2 is the sender only:

cowetaschools.net --> MX record mail.cowetaschools.net
mail.cowetaschools.net --> A record for IP3
dewey1.cowetaschools.net --> A record for IP1
dewey2.cowetaschools.net --> A record for IP2

finally, to complete the SPF picture:

The SPF record above is for the email domain, cowetaschools.net.

You should also have one for each CLIENT machine host name:

For dewey1.cowetaschools.net:

v=spf1 ip4:ip1_address -a

For dewey2.cowetaschools.net:

v=spf1 ip4:ip2_address -a

That's the skinny. Hope this helps.

---
Hector Santos
Santronics Software, Inc.
http://www.santronics.com
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)


"MC" <mccato@xxxxxxxxxxx> wrote in message
news:OjxjAhR9FHA.2696@xxxxxxxxxxxxxxxxxxxxxxx
> I'm sorry to be so difficult, and I really appreciate you sticking with me
> on this! The name change was a goof - I used the wrong IP. Were are you
> seeing that? Maybe I can check that for myself next time. Hopefully that's
> corrected now.
>
> We don't send mail as the other domain names - we just receive mail as
them.
> Mail only goes out as cowetaschools. net; so do I still need an SPF record
> for those domains? This got really confusing when the domain was set up as
> .net but someone decided we needed to be able to receive email as .org,
too.
> They added the .com just for kicks, I guess.
>
> Thanks
>
> "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
> news:eBd1OTR9FHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
> > MC <mccato@xxxxxxxxxxx> wrote:
> >> Sorry, yes, we have 3 mail servers. But dewey is the only server that
> >> receives mail for our domain. The other ones (Exchange 2000) send
> >> mail, though. Does that complicate matters?
> >
> > Yes, it does complicate matters, and is at least one reason why your
> > having
> > trouble with AOL and Compuserve, the SPF should fix that. Just make sure
> > you
> > have a SPF record for all hosted mail domains.
> >
> > Now it looks like you changed the HELO name of the mail server, you need
> > to
> > change that back to dewey.cowetaschools.net. It is very important this
be
> > done just right, or you'll have the same problems you've had in the
past.
> > See:
> > dewey.cowetaschools.net claims to be host cowetaschools.net [but that
host
> > is at 168.9.128.18, not 168.9.128.29].
> >
> >
> >> I did include all of them
> >> in the SPF record; but I didn't include any PTR info in the SPF
> >> record. Should I include that?
> >
> > Any mail server that sends mail for your domains needs to be in the SPF
> > and
> > have a PTR. The SPF needs to be added to all your domains, not just the
> > default domain. Any domain name that these mail servers send mail for
> > needs
> > the same SPF record.
> >
> > It looks like you only added one SPF record. Add the SPF to the rest of
> > the
> > domains, use the same text in each SPF.
> >
> >> Since only dewey receives mail, I
> >> should just leave the one MX record, right?
> >
> > If dewey is the only server that recives mail it should be the only MX.
> >
> >
> >
> >
> > --
> > Best regards,
> > Kevin D. Goodknecht Sr. [MVP]
> > Hope This Helps
> > ===================================
> > When responding to posts, please "Reply to Group"
> > via your newsreader so that others may learn and
> > benefit from your issue, to respond directly to
> > me remove the nospam. from my email address.
> > ===================================
> > http://www.lonestaramerica.com/
> > http://support.wftx.us/
> > https://secure.lsaol.com/
> > ===================================
> > Use Outlook Express?... Get OE_Quotefix:
> > It will strip signature out and more
> > http://home.in.tum.de/~jain/software/oe-quotefix/
> > ===================================
> > Keep a back up of your OE settings and folders
> > with OEBackup:
> > http://www.oehelp.com/OEBackup/Default.aspx
> > ===================================
> >
> >
>
>

.

Relevant Pages

  • SMTP "authentication" (was: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky)
    ... > SMTP authentication will likely cut this stuff down to a trickle ... I really think you (and all the SPF, ... quickly get the ISPs to shut those machines down because we can prove ... salient point that the ISPs have entirely failed to ...
    (Full-Disclosure)
  • Re: PTR Records
    ... > As an author of a SMTP package and an early adopter of SPF, ... > But you can run into forwarding problems if the sending machines are ... > The SPF record above is for the email domain, ... please direct all replies ONLY to the Microsoft public newsgroup ...
    (microsoft.public.windows.server.dns)
  • Re: PTR Records
    ... > As an author of a SMTP package and an early adopter of SPF, ... > But you can run into forwarding problems if the sending machines are known ... >>> Any mail server that sends mail for your domains needs to be in the SPF ...
    (microsoft.public.windows.server.dns)
  • Re: PTR Records
    ... >> Sorry, yes, we have 3 mail servers. ... > trouble with AOL and Compuserve, the SPF should fix that. ... > have a SPF record for all hosted mail domains. ... >> Since only dewey receives mail, ...
    (microsoft.public.windows.server.dns)
  • Re: Hijacked email address.
    ... Some other mechanisms like watermarking in MailScanner, and there is also something called EMEW in BarricadeMX. ... For SPF and DomainKeys, it depends on the proportion of mail servers that check them. ...
    (RedHat)