|
Most domains send outbound mail through a relatively
small number of servers. Domains should describe that set
of servers in an SPF record in their DNS. Internet email
receivers can then reject forged messages which don't come
from an envelope sender domain's approved servers. This
wizard helps domain owners identify all the servers which
could be expected to send mail from their domain.
The SPF record:
v=spf1 ip4:68.92.181.2/24 ip4:69.41.80.194/29 ip4:63.241.225.220/29 ip4:63.241.233.34/27 a mx ptr include:innovationfirst.com ?all
can be explained as:
![[v=spf1]](/images/label_v=spf1.png)
|
v=spf1 | This identifies the TXT record as an SPF string. |
|---|
![[ip4:]](/images/label_ip4:.png)
|
ip4:68.92.181.2/24 |
Every host in the range 68.92.181.0-68.92.181.255 is allowed to send mail from innovationfirst.com.
|
|---|
|
|
ip4:69.41.80.194/29 |
Every host in the range 69.41.80.192-69.41.80.199 is allowed to send mail from innovationfirst.com.
|
|---|
|
|
ip4:63.241.225.220/29 |
Every host in the range 63.241.225.216-63.241.225.223 is allowed to send mail from innovationfirst.com.
|
|---|
|
|
ip4:63.241.233.34/27 |
Every host in the range 63.241.233.32-63.241.233.63 is allowed to send mail from innovationfirst.com.
|
|---|
![[a]](/images/label_a.png)
|
a |
innovationfirst.com's IP address is 216.173.232.105 (metalsolutions.com).
That server is allowed to send mail from innovationfirst.com.
|
|---|
![[mx]](/images/label_mx.png)
|
mx |
This wizard found 10 names for the MX servers for innovationfirst.com:
alt1.aspmx.l.google.com, bw-in-f27.1e100.net, gx-in-f27.1e100.net, aspmx2.googlemail.com, qw-in-f27.1e100.net, alt2.aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, iw-in-f27.1e100.net, and aspmx.l.google.com.
(A single machine may go by more than one hostname. All of them are shown.)
The servers behind those names are allowed to send mail from innovationfirst.com.
|
|---|
![[ptr]](/images/label_ptr.png)
|
ptr |
Any server whose name ends in innovationfirst.com is allowed to send mail from innovationfirst.com.
|
|---|
![[include:]](/images/label_include:.png)
|
include:innovationfirst.com |
Any server allowed to send mail from innovationfirst.com is also allowed to send mail from innovationfirst.com.
|
|---|
![[all]](/images/label_all.png)
|
?all |
SPF queries that do not match any other mechanism will return "neutral".
Messages that are not sent from an approved server should still be accepted as if the SPF record did not exist.
|
|---|
You need to transfer these records to your DNS server by yourself. No
changes can be made by the wizard, it can only provide you with the
data that needs to be entered into your DNS server.
If you run BIND
Paste this into your zone file:
innovationfirst.com. IN TXT "v=spf1 ip4:68.92.181.2/24 ip4:69.41.80.194/29 ip4:63.241.225.220/29 ip4:63.241.233.34/27 a mx ptr include:innovationfirst.com ?all"
When a mail server sends a bounce message, it uses a null
MAIL FROM: <>, and a HELO address that's supposed to
be its own name. SPF will still operate, but in "degraded
mode" by using the HELO domain name instead. Because this
wizard can't tell which name your mail server uses in its
HELO command, it lists all possible names, so there may be
multiple lines shown below. If you know which hostname your
mail server uses in its HELO command, you should pick out
the appropriate entries and ignore the rest.
So this should also appear in DNS. You may or may not be in
charge of the DNS for these entries; if you are, add them.
alt1.aspmx.l.google.com. IN TXT "v=spf1 a -all"
alt2.aspmx.l.google.com. IN TXT "v=spf1 a -all"
aspmx.l.google.com. IN TXT "v=spf1 a -all"
aspmx2.googlemail.com. IN TXT "v=spf1 a -all"
aspmx3.googlemail.com. IN TXT "v=spf1 a -all"
bw-in-f27.1e100.net. IN TXT "v=spf1 a -all"
gx-in-f27.1e100.net. IN TXT "v=spf1 a -all"
iw-in-f27.1e100.net. IN TXT "v=spf1 a -all"
pv-in-f27.1e100.net. IN TXT "v=spf1 a -all"
qw-in-f27.1e100.net. IN TXT "v=spf1 a -all"
|
If you run tinydns (djbdns)
'innovationfirst.com:v=spf1 ip4\07268.92.181.2/24 ip4\07269.41.80.194/29 ip4\07263.241.225.220/29 ip4\07263.241.233.34/27 a mx ptr include\072innovationfirst.com ?all:3600
'alt1.aspmx.l.google.com:v=spf1 a -all:3600
'alt2.aspmx.l.google.com:v=spf1 a -all:3600
'aspmx.l.google.com:v=spf1 a -all:3600
'aspmx2.googlemail.com:v=spf1 a -all:3600
'aspmx3.googlemail.com:v=spf1 a -all:3600
'bw-in-f27.1e100.net:v=spf1 a -all:3600
'gx-in-f27.1e100.net:v=spf1 a -all:3600
'iw-in-f27.1e100.net:v=spf1 a -all:3600
'pv-in-f27.1e100.net:v=spf1 a -all:3600
'qw-in-f27.1e100.net:v=spf1 a -all:3600
|
If you run Windows DNS
Please see these instructions.
More options
If your site requires more complex configuration than
this, you should read more about
mechanisms. You should also review the tradeoffs
involved in choosing an "all" default: see page 15 of the white
paper.
You can test some pretend scenarios at one of the DNS tools. MTAs that reject mail
because SPF tests failed will link to the why page.
|
