IETF Logo Mail Archive

Re: [spfbis] Clarity on location of SPF records

Danie de Jager <danie.dejager@za.striata.com> Tue, 16 September 2014 19:00 UTC

Return-Path: <danie.dejager@striata.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3925D1A6FFB for <spfbis@ietfa.amsl.com>; Tue, 16 Sep 2014 12:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZNW6SZMG3I1 for <spfbis@ietfa.amsl.com>; Tue, 16 Sep 2014 12:00:03 -0700 (PDT)
Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93DE61A6F58 for <spfbis@ietf.org>; Tue, 16 Sep 2014 12:00:02 -0700 (PDT)
Received: by mail-vc0-f177.google.com with SMTP id la4so313334vcb.8 for <spfbis@ietf.org>; Tue, 16 Sep 2014 12:00:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=za.striata.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=THTw+me20dIKPsmrA2fRhPQ5rKcFgSNqBtJHwgu6qcc=; b=Xf+DnIkoWBlxca9FRlk+Ft4dAsmfz6gjIxpEJVVcqfQyE1kUP2Ak0czPyHhFTaSUZ2 CZmIyyQxS7a3bJQdlmecjXEsTNkBWSl70k+A8heN2MoDHSHq7Lg4cuqY/ptDnRKZLzIY UjQx++lkbP1vvafcJJALx4IROQ1P89cTNia/M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=THTw+me20dIKPsmrA2fRhPQ5rKcFgSNqBtJHwgu6qcc=; b=QhYGa9o0yiCBj36g9VsZeZfgulQTLKluLoh0fgzhppy3IUas2UecnM+3f7NAbPkfVM s7R1y3TBq11UmcPm886MkaeVqpiM5CaR4hY2yCoufeHQVDD0K01HlumAlPJHltHPDg0L k4d1xl8t8qAWj6blI34fRpfOCHL6si9mKvGeuV3YFi8IW1B+KveH31DI63N1dAsRrwo/ Hl4KzovJ30R1e9Kv3TbTYvD/zRiQbItlIiE+R4Wmg/GwNm3RTAY0n6QlrmUT1nR7ql/5 KtoRx+irUnZG53QX7sgJ0sDI3TQnGK7uW4ytOKrdEpP4p5+7eH3rVxEywDjaMMbR1RPe isLQ==
X-Gm-Message-State: ALoCoQnb9r/QajWUwzHPFnRsM7cDDBWfdoD4exBokYOWNioa7qcFLTM5DHOWeB+7GU8OCMHIgfKt
X-Received: by 10.52.51.203 with SMTP id m11mr2702401vdo.72.1410894001686; Tue, 16 Sep 2014 12:00:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.158.198 with HTTP; Tue, 16 Sep 2014 11:59:40 -0700 (PDT)
In-Reply-To: <CAC6Wms59cN0+v87dL69o10uZ7B5TnmbiX6WZf7J9C+vE11PgDw@mail.gmail.com>
References: <CAC6Wms59cN0+v87dL69o10uZ7B5TnmbiX6WZf7J9C+vE11PgDw@mail.gmail.com>
From: Danie de Jager <danie.dejager@za.striata.com>
Date: Tue, 16 Sep 2014 20:59:40 +0200
Message-ID: <CAC6Wms5U7GaSyULibDJTjm45VM-4vUJk=7x2cv0McrF4_3U48g@mail.gmail.com>
To: spfbis@ietf.org
Content-Type: multipart/alternative; boundary="001a11369114c968a50503335b01"
Archived-At: http://mailarchive.ietf.org/arch/msg/spfbis/4-jX_BeP2jH962ZFUFR5pBY0SQ0
Subject: Re: [spfbis] Clarity on location of SPF records
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 19:00:06 -0000

I believe what confused me is that I'm still thinking of the previous
RFC4408.

3.1 <http://tools.ietf.org/html/rfc4408#section-3.1>.  Publishing

   Domain owners wishing to be SPF compliant must publish SPF records
   for the hosts that are used in the "MAIL FROM" and "HELO" identities.
   The SPF records are placed in the DNS tree at the host name it
   pertains to, not a subdomain under it, such as is done with SRV
   records.  This is the same whether the TXT or SPF RR type (see
   Section 3.1.1 <http://tools.ietf.org/html/rfc4408#section-3.1.1>) is used.

   The example above in Section 3
<http://tools.ietf.org/html/rfc4408#section-3> might be published via
these lines in
   a domain zone file:

      example.com.          TXT "v=spf1 +mx a:colo.example.com/28 -all"
      smtp-out.example.com. TXT "v=spf1 a -all"


  *Danie de Jager*
*Striata Operational Support - Team Leader*  *Office:* +27 11 5309600  *Striata
on:* Twitter <https://twitter.com/striata> | LinkedIn
<http://www.linkedin.com/company/striata> | Facebook
<https://www.facebook.com/striata.innovation> | www.striata.com


On 16 September 2014 13:27, Danie de Jager <danie.dejager@za.striata.com>
wrote:

> ​Hi,
>
> I need
> ​clarity
>  with the
> ​ possible​
> location of the SPF record.
>
> As example. If I have a domain abc.123.example.com with a MX record of
> mail1.abc.123.example.com and mail2.abc.123.example.com there must be a
> SPF record for:
> mail1.abc.123.example.com to allow only its own A record
> mail2.abc.123.example.com to allow only its own A record
> and
> abc.123.example.com to allow the 2 MX records.
>
> or should
> ​all ​
> the records be entered at example.com? (which performs a completely
> different function using other mail servers and will have it's own set of
> SPF rules)
>
> The RFC uses:
>    <domain> - the domain portion of the "MAIL FROM" or "HELO" identity.
>
> Does <domain> always equal only to a fully qualified domain name?
>
> ​I'm investigating SPF records of some institutions that I believe are
> wrong. ​All their SPF records are included only in their top domain.
>
> Regards,
> Danie de Jager
>

v2.23.0 | Report a Bug | By Email