I just registered a new domain last week. I associated it with my Google Apps account.
Apparently, some spam bot is using it with fake account names to send spam and I'm receiving a ton of bounces.
What can I do to help against that?
I do have an SPF DNS record
v=spf1 include:_spf.google.com ~all
I don't want to have -all
based on this.
Saying "I have an SPF record" is a bit like saying "I have a computer". Until we know the details, it's a bit difficult to say why it might not be helping.
More specifically, could we see the SPF record, or at least could you tell us whether it ends in
~all
,?all
, or-all
?Edit: thanks for posting your SPF record, which we see ends in
~all
. As I have written elsewhere on Server Fault, any SPF record that doesn't end-all
is next-to-useless and definitely won't prevent joe-jobbing (as the sending of spam claiming to be from your domain by unauthorised third-parties is also known).SPF really can be useful in this scenario; it's not checked by everyone, but it's checked by a lot of MTAs. If you can itemise all the systems that will send email from your domain, and then disallow all others by changing that to
-all
, it will tell recipients who check SPF records that email claiming to be from your domain but originating elsewhere can lawfully be discarded or refused, and many recipients' servers will then do that.As long as you continue to end with
~all
, you're telling recipients nothing about identifying email that's not from you, only about identifying email that is - and that's no help at all in getting joe-jobbed spam refused.Second edit: yes, thanks for the pointer to the google document. As it says,
Well, yes it can: that's the point of it.
You want people not to accept email that claims to be from your domain when it's not from you? Then you have to tell them that they should do so. SPF
-all
is one way to do that. DomainKeys/DKIM is another. In all cases, you have to tell people that you're identifying mail from you in a certain way, and if it doesn't carry that identifier, they should refuse it. If you won't tell them that, then why are you surprised if they don't refuse it?You'll have to set SPF to '-all', or there is no sense in SPF at all. Dont worry about the delivery problems, there will be none.
What you currently see is Backscatter. See here what to do against it. And the related questions thereof.
Things that really help is BATV and/or VERP. But as you are on Google this does not work in your case. But for "real" mail server this is a big relieve.
PS: What's the price for the domain if I want to buy it?