Home / server / Questions / 819975
Accepted
LinuxSecurityFreak
Asked: 2016-12-11 07:31:14 +0800 CST

Creating SPF record with multiple sending IP addresses

  • 772

As I don't understand networking at all, I must turn to you in a very simple question.

I am told I need to set up an SPF record in order to minimize the risk of ending my business mass emails in a spam folder; among other things I need to do. I am not sending any spam or know about ending in it, I just want to set up my DNS records properly.

I have a rather long list of basically two subnets of IP addresses the hosting provider of mine uses for his mail servers.

I have read I should be able to specify them in some CIDR format, unknown to me.

A month ago I have set up, but I have issues, sometimes my SPF passes, sometimes it does not in this Mail-Tester:

v=spf1 a mx ~all

But as the mail server name resolves to multiple IP addresses of two different subnets.

I want to short the list of IP addresses specified. And to make it more flexible, because they may change the last bits of those IP addresses.

My current idea looks like this:

v=spf1 a mx ip4:111.111.111.xxx/?? ip4:222.222.222.xxx/?? -all

Parsing:

  1. To specify version of the SPF record:

    v=spf1

  2. To allow IP address of the domain to send email for this domain:

    a

  3. To allow servers listed as MX to send email for this domain:

    mx

  4. The first list of IP addresses starting always with e.g. 111.111.111 and ending with whatever range:

    ip4:111.111.111.xxx/??

  5. The second list of IP addresses starting always with e.g. 222.222.222 and ending with whatever range:

    ip4:222.222.222.xxx/??

  6. To set strict behavior for the non-compliant to be rejected:

    -all

The question is what should I put after the slash? 24?

spf subnet

1 Answers

  1. Best Answer

    What you should put after the slash depends on the subnet that contains the mail servers. This will depend on the subnet that was allocated for the mail server.

    If you are using a responsible provider, they will have an SPF record you can include before your policy, which normally should be -all. Policies specified in includes are ignored so don't worry if they use a ~all or other permissive policy.

    You may want to look at the SPF records for Gmail which use multiple include records. There is a limit to how many DNS lookups that will be done before your SPF record is considered invalid.

    Consider implementing DMARC with a reporting address if you want to track issues with SPF and/or DKIM. Several large providers provide reports to domains with DMARC configured.

    There are multiple services that can provide reports on how well you have configured your email domain.

    You may want to consider using a separate domain for bulk emails. This should reduce the damage to your mail domains reputation, if there are problems with a bulk mailing.

    I've blogged about Securing your Email Reputation with SPF among other topics. You may also find the resources in my posting Detecting Email Server Forgery useful.

    • 3