SPF-record. To implement or not?

0 like 0 dislike
4 views
Welcome all.

Continue a series of "Ideas for Habra". Recall that I administer this site in terms of low-level (servers, OS daemons and the interaction of all this) and I quite strongly interested in the opinion of my colleagues who have practical experience of using what is mentioned in the post. While that is all quite sluggish, but some useful information I have learned.

Previous questions:


This time the issue revolves around the mail subsystem. We have virtually all mail MX records wrapped in gmail.com. It is quite convenient and suitable for almost everyone, unless, of course, to abstract from questions about the "big brother". But there are servers where, in turn spinning our sites, many of which send user notifications. Recently, all emails from some of our servers are for users not directly but through a relay, in the language of the admin "smarthost": this is convenient, since it is not necessary to fine-tune staffing sendmail, you just need to insert the line and all. And configure properly only relay.

So what we have in the end? Actually, all legitimate mail from the domain habrahabr.ru is our users only with Google or with our relay. Ie there is a good opportunity to prescribe in the area of the SPF record with sootvetstvuyuschimi data and with the option "-all". This technology has plenty of advantages and few drawbacks: one of the downsides associated with possible problems when sending emails. Of course, the correct MTA when forwarding need to change the headers etc., but not everyone is all set as needed.

In connection with the above, do you think, is it worth it to put strict "-all" or limited to only the uncertain "~all"?

P. S. by the Way, DKIM is already running, the relay successfully sign outgoing mail. If your mail clients will write about an invalid signature, let me know.
by | 4 views

4 Answers

0 like 0 dislike
>I am quite strongly interested in the opinion of my colleagues who have practical experience of using what is mentioned in the post.
\r
consult with colleagues from Google)
\r
host-t txt google.com
google.com descriptive text "v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
\r
personally usually do -all if I know exactly where will go letters
for example, if I know that it will be only servers with certain IP
by
0 like 0 dislike
People we have significantly less of course but the notification is very much, for distribution, and with only ~all well and ip ranges of course.
Already 4 years flight normal.
by
0 like 0 dislike
If you have mail on gmail, you -all don't need to do, there may be problems with mail delivery, the Google reconduit to do all that you can't do this without SPF because in times of increased false positives antispam even within the company.
by
0 like 0 dislike
I write -all, but allow popular in Runet the postal service forward my letter(if, for example, a user that receives the email(e.g. mail.ru), set up forwarding to your build. box)
myzone.ru text = "v=spf1 include:_spf.myzone.ru -all" _spf.myzone.ru text = "v=spf1 a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"


In other areas of their writing:
somezone.ru text = "v=spf1 redirect=_spf.myzone.ru"

Convenient!

For Sender ID, it is possible to look, correct if wrong.
myzone.ru text = "v=spf2.0/mfrom include:_spf.myzone.ru -all" _spf.myzone.ru text = "v=spf2.0/mfrom a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"
by

Related questions

0 like 0 dislike
2 answers
0 like 0 dislike
1 answer
0 like 0 dislike
3 answers
110,608 questions
257,186 answers
0 comments
1,105 users