SPF (Sender Policy Framework) seems like a good way to combat spammers/spoofing.
However, despite reading the explanations several times, I'm not quite understanding how to configure it correctly.
Let's say I have my server at a.x.com
which hosts www.x.com
and b.x.com
and c.x.com
and so on.
I also have a.co.uk
b.net
c.info
and so on, each of these with an assortment of sub-domains, all hosted on x.com
For all of these domains and sub-domains, I want to permit mail to be sent from a.x.com
I would also like them all to permit mail sent from Gmail for all these domains.
How do I set this up with SPF?
Can I set one SPF record for x.com
(or a.x.com
) and then for everything else just have a simple include/pointer to x.com
's record, or would it need to be done differently?
Can anyone provide some SPF records for the above example?
Note: The second part of my question has been answered (use "v=spf1 include:x.com -all
" to include/point at x.com
's record), but the key part of what to set on x.com
remains unanswered...
You can't avoid having to alter the zone files for the domains other than x.com, but you can save yourself a lot of trouble by defining common policies hosted on one domain and using the
redirect
SPF keyword on the other domains. Example:x.com
domain:_spf.google.com
is the record holding the Gmail SPF record. Not sure whether it's documented. Theoretically you shouldinclude:gmail.com
but that's a redirect to_spf.google.com
and there has been at least one widely used SPF patch for qmail which didn't follow it properly (got fixed in August 2008 but might still be deployed.) The two policies are examples, of course - having more than one with various levels of strictness is extremely useful when debugging since you only have to alter a short name in the target domain instead of error-prone copypasting.or
etc. I'm using
redirect
, notinclude
, to cause the SPF check to completely replace the currently evaluated record with the one I'm redirecting to.include
does not do that - for example, an-all
at the end of aninclude
does not cause evaluation to stop (include
is a big misnomer.) You should avoid usinginclude
when you want to "alias" a SPF record from another domain, since it's quite brittle - if you accidentally forget the trailing -all you might render your entire SPF on that domain ineffective.Edit: Please note, though, that you need to be on guard if you want to allow Gmail's servers as senders. The Gmail chaptcha has been cracked, which means that it's possible to automate account signups, which means Gmail can be (indirectly) used as an open relay (I'm getting tens of spambot signup requests per week for my company discussion forum, all using gmail.com email addresses - and those addresses are live, I've allowed a few to go through for checking purposes.) Additionally, anyone with a Gmail account can bypass SPF checking if familiar with the uwsername parts of the email addresses at your domains.
Yes, you can include the config from one of your domains in the SPF records for all the other domains. Setting the other domains' SPF record to the following should do the trick:
Have you tried using the web tool at http://www.openspf.org/? It might make it a bit easier for you to deal with this...
Just enter your domain in the top-right box and click the go button. From there, you should be able to set things up in a hurry.
The standard, RFC 4408, provides some examples that are very close from what you want. Here is an extract of x.com's zonefile:
Notes:
Yes, you need to add the specific SPF record to each domain individually.
The reason for this is that the only (useful) aliasing type record in the DNS is the
CNAME
record. However theCNAME
record causes aliasing to happen for ALL of the RRtypes in an RRset - there's no way to say "CNAME
the SPF record but not theMX
records"