[QUOTE=pascal;12680]Hi,
With the V3.0 release it is now possible to :
- Create a DNS template and so use a SPF template
- Use a record type named SPF (rather than TXT)
Ok I’ll give you an example and ask you how this example could be set in V3.0
Say we have a domain name called domain.com .
- this domain has a A dns record.
- The mx for this domain is so mail.domain.com
- And finally the mail server on the box which host this domain is called clust01.domain.com
So we should create a SPF record like this one
v=spf1 a mx ~all
Which means that for this domain, the A and MX record can send email and all others should normally not !
ps: v=spf1 means that it is a TXT record and not a SPF one, right, so for a SPF record type what is the syntax ?
[/quote]
The syntax is the same as with the TXT record. You can use TXT records or SPF record type in the DNS interface, and the format is the same. From the user perspective, there really isn’t any difference, and it’s only slightly different in how the backend exports the records, but you don’t need to worry about that :).
The SPF wizard also talk about the HELO domain used by the mail server :
If you run BIND
Paste this into your zone file:
carat-hosting.com. IN TXT "v=spf1 a mx ~all"
When a mail server sends a bounce message, it uses a null MAIL FROM: <>, and a HELO address that's supposed to be its own name. SPF will still operate, but in "degraded mode" by using the HELO domain name instead. Because this wizard can't tell which name your mail server uses in its HELO command, it lists all possible names, so there may be multiple lines shown below. If you know which hostname your mail server uses in its HELO command, you should pick out the appropriate entries and ignore the rest.
So this should also appear in DNS. You may or may not be in charge of the DNS for these entries; if you are, add them.
clust01.domain.com. IN TXT "v=spf1 a -all"
mail.domain.com. IN TXT "v=spf1 a -all"
If you run tinydns (djbdns)
'domain.com:v=spf1 a mx ~all:3600
'clust01.domain.com:v=spf1 a -all:3600
'mail.domain.com:v=spf1 a -all:3600
So it explains that we also have to add the name the mail server use and we have to add a SPF records in the DNS for this name.
It looks like that for TinyDns we have to add a SPF record for the MX server, for the A record and also for the mail server name !
'domain.com:v=spf1 a mx ~all:3600
'clust01.domain.com:v=spf1 a -all:3600
'mail.domain.com:v=spf1 a -all:3600
[B]How this could be created with :
- The dns template
- directly for a domain
[/B]
For the “domain.com” dns zone, you only need the first line - the
'domain.com:v=spf1 a mx ~all:3600
Via the NodeWorx interface, that just translates as a SPF record with
Host: domain.com Target: v=spf1 a mx ~all
That is only correct if the IP address you get when pinging domain.com is the same as the main IP of the server - which is the IP the mail will be sent from. If that’s not the case, you need to make sure that IP address is “valid” in your SPF record. So a SPF record with
Target: v=spf1 a mx a:clust01.domain.com ~all
might be more correct.
The other two are for bounce messages - when the “From” header isn’t applicable - so it uses the “HELO” host to do a check. In your case, the HELO host is the “Mail Server Hostname (FQDN)” in NodeWorx->System Servers->Mail Server->MTA. It may be “clust01.domain.com” in your case.
In that case, you should indeed add another SPF record to the domain.com zone. Host: clust01.domain.com Target: v=spf1 a -all
This tells the receiving mail system that bounce messages from whatever IP address clust01.domain.com resolves to is “valid mail”. You need an “A” record set up for clus01.domain.com in that case, if it isn’t already.
The above example is a bit more complex than the normal scenario. Normally, the main SPF record for normal mail (not bounce messages) will not be under the same zone as the bounce message spf records.
The “bounce message” spf records normally go under a different DNS zone - usually that of your host, “yourisp.com” for example.
So then the “bounce message” spf records would go under the yourisp.com zone, and there would be one for clust01.yourisp.com. There is probably a short cut method to use to specify multiple servers, for *.yourisp.com, but check the SPF documentation.
So - using the DNS template system on the server clust01.yourisp.com, you’d add a record to the DNS template Zone, that looks like
dns-template.com SPF v=spf1 a mx a:clust01.yourisp.com ~all
Finally, I have a special case which is cluster.
We do a load-balncing for smtp/pop3/imap connexion, in fact all mails are sent not from the cluster manager it self (clust01.domain.com) but from a node called clust02.domain.com (but with the IP of the MX/A record for this domain)
So we’d also add the name of the mail server of the nodes that could send emails !?
is it correct ?
So to conclude we should have, for one domaine, few SPF records :
'domain.com:v=spf1 a mx ~all:3600 ---> the A record
'mail.domain.com:v=spf1 a -all:3600 ---> the MX record
'clust01.domain.com:v=spf1 a -all:3600 ---> the name of the mail server on the CM
'clust02.domain.com:v=spf1 a -all:3600 ---> the name of the mail server on the node
and in fact
'clustXX.domain.com:v=spf1 a -all:3600 ---> the name of the mail server on every nodes that could sent an email (and a bounce message)
Is it correct ?
If yes how could we set up this in interworx v3.0 using the DNS template for new domains and using the dns editor for existing domains ?
Thanks a ton
Pascal
As described above, you don’t need all those SPF records for each domain. You need one SPF record that allows all the nodes in the cluster to be “valid” senders. So one SPF record that looks like
dns-template.com SPF v=spf1 a mx a:clust01.yourisp.com a:clust02.yourisp.com ~all
Then, in your zone for “yourisp.com” you create an SPF records like
clust01.yourisp.com SPF v=spf1 a -all
clust02.yourisp.com SPF v=spf1 a -all
This handles the “bounce message” scenario - which is arguably less important than the “main” domain SPF record.
This SPF stuff can get complicated huh
Paul