1

I have a question in regards to SPF records in a dedicated hosting environment. I wish to set up an SPF record for my dedicated server, but I am not sure whether my understanding is correct.

First question: Do I need to set up the SPF record for ONLY the domain holding the NS and PTR records, or do I need to set it up for each domain on the server?

If I only need to set it up for the NS domain, can it be set up on each domain to override the NS domain?

Also, if it is just for the NS domain, how can I ensure my clients with remote SMTP servers have no issues sending emails? ie. Google Apps or external MX records.

eg: My NS domain is example.com and one of my clients are helloworld.com Am I required to set an SPF record up on helloworld.com, example.com or both? Will the SPF record on example.com affect helloworld.com if I do not put an SPF record on helloworld.com?

Shane
  • 13
  • 4

2 Answers2

3

(Answer edited in the light of edits to the question.)

It depends. SPF records should be applied to the envelope From, not the header From:. If your server is using SRS, everything should be fine; the envelope From will be rewritten to example.com, and your SPF record will cover it. Otherwise, it will depend on what their MUAs (and/or in-house mail servers) set the envelope From to be; if that's helloworld.com, then yes, their SPF record (if it exists) will need to permit your infrastructure to send.

That said, if they are your clients, there's no harm in them including you in their SPF records, which they can do with a simple include:. Better safe than sorry, and don't forget to keep an eye on the DNS lookups limit.

As to the last part of your question, you should probably read our canonical question on setting up SPF records.

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Hi MadHatter, thanks for your reply. My environment is cPanel/WHM - if you are familiar with it you should know that it requires a "root" domain name. This is also the domain name attached to the nameservers. So my question regards setting up SPF for the domain attached to the nameservers. It is also the domain for reverse lookups (IP to host). I am not asking about subdomains, but that is interesting and useful to know. – Shane May 06 '14 at 10:13
  • Shane, we're not all giant fans of cPanel around these parts, so many of us don't know it well. If you can express your question in protocol-specific terms, rather than product-specific ones, it will make it easier to answer; I'm **very** sure that what cPanel means by "*root domain name*" isn't what the rest of the DNS means by it. You may find that editing an example into your question helps clarify the situation; just telling us actual details of the domain name(s) you're trying to work with would be even more helpful. – MadHatter May 06 '14 at 10:32
  • Sorry, I didn't realise that. I'll make the changes. – Shane May 06 '14 at 10:33
  • Thank you for your changes to the question. Very helpful, now I feel more comfortable setting up the SPF records. Thanks again! – Shane May 07 '14 at 01:47
1

SPF needs to be configured for each domain. While you can use wildcards, this effectively creates all the possible sub-domains that match the wildcard. It is rare you would want to use wildcards. SPF does not apply to PTR records, and your NS domains typically shouldn't be sending email.

If you want to protect domains which should not be sending email from being used to send spam, use an SPF record like v=spf1 -all. I would recommend doing so, but many domains do not have this coverage. (I seen many of them being rejected by my spam filter.) This should include web domains which some spammers tend to prefer.

The domain used in the envelope from address, From:, Sender:, and similar headers should have an SPF record like v=spf1 a mx -all. This will cause problems for senders using other SMTP servers to send email from your domain. SPF will be applied to the envelope from address which in most cases should match one of the sender address headers.

If you want to allow other SMTP servers to send on behalf of your domain you can use the include mechanism. There are limits to the number of domain lookups that can be applied, so deep nesting with mechanisms like A or MX may cause the check to be fail before all mechanisms are completed. Your are also likely to import a ~all mechanism which will significantly defeat the purpose of using SPF.

Setting up your SMTP server to accept authenticated connections from your users on the Submisssion port (587) will allow them to use your mail server to send email. The Submission port should be configured to enable StartTLS. Authentication should require TLS.

Your SMTP server should have an SPF record allowing it to send email. A record like v=spf1 a -all would be appropriate.

Consider looking at DMARC which will allow you to publish a policy on how email SPF and DKIM should be handled. You can also receive feedback on how well your domain is meeting your policies. This can include indications that your domain is being used to send Spam.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thank you for telling me about deep nesting and the usage of ~all vs -all, I will definitely look into those more. Also for your suggestion of DMARC, I must have a look at that. Very useful information here. – Shane May 07 '14 at 01:44