9

I'm setting up an email server, and I'm a bit confused by SPF. Following some examples, I set my SPF record as follows...

v=spf1 mx ip4:1.2.3.4 mx:mail.mydomain.com ptr:1.2.3.4 -all

I follow what most of that means, but why is MX in there twice? I assume the second MX means, "This is a mail server for this domain." Am I right on that?

And either way, what does the first MX mean? Does it just indicate anyone checking should look at the MX records stored apart from the SPF TXT record? And, if so, is the MX:mail.mydomain.com redundant with the actual MX records?

Dan Repperger
  • 101
  • 1
  • 1
  • 3

1 Answers1

13

The first MX means that the IP addresses in the MX record(s) for the domain you're actually attaching the SPF record to should be accepted as valid. The second one means that IP addresses in the MX record(s) for the domain mail.mydomain.com should be accepted as valid. If this SPF record is for the domain mail.mydomain.com, then the second one is redundant. However, if the SPF record is for mydomain.com, then the second MX is not redundant.

Mike Scott
  • 7,903
  • 29
  • 26
  • I agree but I think it's worth pointing out that the example in the question (`mx:mail.mydomain.com`) looks peculiar. Is there really such an `MX` record? Typically people don't have addresses like foo@mail.example.com... (Also, the `ptr` directive is malformed.) – Håkan Lindqvist Mar 03 '15 at 18:30
  • The email address would be like me@mydomain.com. The mail server is mail.mydomain.com. Both have the same IP address. With that being the case, what should my MX and TXT SPF records look like? Also, what does a correct PTR directive look like, if that one is malformed? I usually do programming, not server support, so this is all rather confusing to me. I really, really appreciate the help! – Dan Repperger Mar 03 '15 at 18:35
  • I think I have it. Maybe. Domain is mydomain.com, and all zone records are for that domain. I create an MX record with a value of "mail.mydomain.com". I then create an A record that points to my IP address. Finally, I set the SPF to "v=spf1 mx a ptr -all". That will allow mail to go to and from *.mydomain.com (all subdomains are on the same IP address), but not from anywhere else. Is that right? – Dan Repperger Mar 03 '15 at 18:48
  • 1
    If everything is on the same IP address, you don't need all of the a, mx and ptr entries, because they will all resolve to the same IP address (assuming your reverse DNS for mydomain.com is set up correctly). Any one of the three will do. But the extra ones do no harm, and could be useful later if you acquire more IP addresses. Note also that the SPF record has nothing to do with what email is allowed to go _to_ *.mydomain.com; that would be down to the configuration of your email server software. – Mike Scott Mar 03 '15 at 19:08
  • 2
    Has no one here read RFC 2606. @DanRepperger. – TRiG Mar 03 '15 at 21:47
  • 1
    Using the `ptr` mechanism violates [RFC 7208](http://tools.ietf.org/html/rfc7208#section-5.5). – Paul Mar 03 '15 at 22:12
  • @DanRepperger if it's just the one mailserver, which is the same as the domain MX, "v=spf1 mx -all" does the job and the rest is redundant. The MX record itself is what lets you actually receive mail -- if it's working, don't touch it! – hobbs Mar 04 '15 at 05:51
  • @Paul It doesn't _violate_ RFC 7208, because it's a SHOULD NOT, not a MUST NOT. – Mike Scott Mar 04 '15 at 07:03