SPF record clarification - Is this set correctly? - email

I am not very familiar with SPF records so I need a bit of help setting up my SPF record correctly.
Below is a record I created using the Microsoft SPF record wizard
v=spf1 a mx ptr ip4:xxx.xxx.xxx.a ip4:xxx.xxx.xxx.b include:aspmx.googlemail.com include:mydomain.com -all
As you can see I use google apps, I also have two web servers sending mail on behalf of mydomain.com. I also listed two IPs both are web servers relating to mydomain.com and mail from mydomain.com are sent from both server (web app).
I also set the PTR to be xxx.xxx.xxx.a at my ISP. Considering all this and the fact that the above mentioned are the only places where mail get generated for mydomain.com is the above record correct?

Most of the results of this SPF specification depend on the MX entries of the domain. What you get here is:
a: Allow any host, an A record of the domain is pointing to (but not any subdmains, or hosts inside the domain)
mx: Allow any hosts with an MX record pointing to them
ptr: Allow all hosts where the PTR record matches an A record. Use this ONLY when you control both the reverse and the forward domains, and probably not even then as it results in some DNS overhead.
ipv4:...: Allow the named IP.
include:...: Include the servers allowed by SPF rules in the named domain. Google uses some redirection to allow all its sender hosts here.
I assume the SPF record is entered into the mydomain.com domain directly. The last include is superfluous and probably creates a loop.
After all, it looks rather correct (if you correct the mentiond include if applicable). But to understand what's going on, you should really read the specification, it's really simple in the end.

Related

Do I add salesforce SPF record to my domain itself?

I am having some issues with emails that are being sent from SF. Therefore, I am wanting to add SF's SPF record. Do I add this to my domain itself? For example, my domain is hosted from networksolutions. I go there and add the SF spf record, correct?
If so, I am having a little bit of trouble figuring out exactly where I would put the spf record in the fields. I am referrencing this help article.
https://help.salesforce.com/articleView?id=Sender-Policy-Framework-SPF-and-Salesforce-SPF-Record&language=en_US&type=1
What would I put in the host? SF is sending out the mail from an email structured as example.com . There is no subdomain like help.example.com.
Would I just put v=spf1 mx include:_spf.salesforce.com ~all in the text field?
For the host, do I put what my mxrecord is, which is: example-com.mail.protection.outlook.com
And have this image from network solutions.
Here's what you want assuming that you send outgoing email "from" ONLY salesforce and Office 365. If there are other outgoing providers (e.g., an ESP), then you need to add them as well. This would be in the root domain assuming you send from the root domain (aka #).
v=spf1 include:_spf.salesforce.com include:spf.protection.outlook.com ~all
Notes:
• You don't need the mx mechanism as that creates additional DNS lookups toward the upper limit allowed for an SPF record (10 lookups)
• Make sure that you validate your SPF record. The concern here is to keep the number of DNS lookups under 10 to pass. Use the SPF Survey.
• Considering doing DKIM and DMARC as well.
I hope this helps.

Are sites without wildcard SPF records vulnerable to subdomain spoofing attacks?

The thought occurred to me that if SPF records are not recursive, domain names may be vulnerable to email spoofing from subdomains. My research reveals this:
The Demon Question: What about subdomains?
If I get mail from pielovers.demon.co.uk, and there's no SPF data for
pielovers, should I go back one level and test SPF for demon.co.uk?
No. Each subdomain at Demon is a different customer, and each customer
might have their own policy. It wouldn't make sense for Demon's policy
to apply to all its customers by default; if Demon wants to do that,
it can set up SPF records for each subdomain.
So the advice to SPF publishers is this: you should add an SPF record
for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF
record, of the form: * IN TXT "v=spf1 -all"
(Thanks to Stuart Cheshire.)
(emphasis mine)
Q1: Why don't you need to add a SPF record if the subdomain doesn't have a A/MX record?
As an example, I investigated support.google.com:
dig google.com txt:
google.com. 3599 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
dig support.google.com txt:
support.google.com. 21599 IN CNAME www3.l.google.com.
dig www3.l.google.com txt:
www3.l.google.com. IN TXT
So..., no SPF record for support.google.com.
Q2: Wy don't Google (and many other sites) follow this advice?
Q3 (bonus): If this is a problem, and I'm not just being stupid, why is this not more documented?
The only related SE question I can find is this, but it doesn't say much more than the openspf.org FAQ above.
This is actually not terribly relevant advice in 2015, as the email landscape has evolved substantially since that post was made.
In practice SPF is an authentication protocol, not a policy enforcement mechanism. What I mean by that is that a particular message can pass, fail, or not check SPF based on the EHLO name or Return Path domain. But how a receiver should handle any SPF result is up to the receiver.
The email policy enforcement mechanism is DMARC, which specifies how a message that does not pass SPF or DKIM authentication should be handled by a receiver. Should it be rejected entirely? Quarantined (typically meaning directed to a spam folder)? Or treated as 'normal'?
DMARC, unlike SPF, does have subdomain inheritance. So, provided an explicit DMARC policy isn't defined on the subdomain, the policy defined on the organizational domain is used. So in the specific case you mention, the policy will be read from _dmarc.google.com. Which is:
v=DMARC1; p=quarantine; rua=mailto:mailauth-reports#google.com
So your hypothetical email sent on support.google.com will be treated as spam, even without an explicit SPF policy defined on support.google.com
So if you want to ensure against subdomain spoofing for a domain you manage, add a DMARC policy.

PermError SPF Permanent Error: Too many DNS lookup

I have SPF and TXT record configured. When i check the SPF record syntax. It says PermError SPF Permanent Error: Too many DNS lookup.
v=spf1 include:_spf.google.com include:netcore.co.in ~all
And my emails are landed in SPAM as well.
1) I am on shared hosting, I dont have dedicated IP and DKIM configured. Actually I dont send emails with spam triggering words. Since I am on shared hosting. Is there any possibility of other's on the shared hosting sending the emails which resulted in my emails to land in SPAM.
2) I am using the netcore.co.in to send the mass mails. and google.com to send the mails from gmail.
And I have properly configured MX records as well. I have mentioned google MX records But not netcore.net MX records.
I am using sendgrid's free smtp server to send the emails from my java web app. which i am not mentioned in spf record.
Is SPF record causing the spam issues.
You should have a look at this question I answered a few weeks ago:
Too many DNS lookups in an SPF record
You only get 10 DNS lookups for SPF (that's part of the protocol). There are automatically two lookups to get your TXT records and the actual SPF record. Without doing the actual math (I'll leave that to you as an exercise), you're hovering in the neighborhood of 13-14 lookups. You need to either consolidate your SPF records into one, or drop one of those services. (For instance, SendGrid allows you to do both transactional and mass mail under one set of IPs, so you could drop netcore or gmail entirely).
As for your spam issue, you should contact SendGrid support (http://support.sendgrid.com), that shouldn't be happening to you and they will be able to help you troubleshoot and resolve the issue.
Another option is to use an SPF Proxy service like spfproxy.org. It masks all the lookups behind a proxy that does it in the background. Takes just a couple minutes to setup. =
This has nothing to do with shared hosting, dedicated IP, DKIM set up or not, or if your content looks spammy.
The only culprit here is that your SPF contains 10+ mechanisms and/or modifiers that do DNS lookups. The SPF spec imposes this limit to prevent DDoS attacks.
You can use an online SPF checker to check the DNS lookup count in your SPF record: Online SPF checker
When "SPF PermError: too many DNS lookups" is returned during an SPF check, DMARC treats that as fail since it's a permanent error, and all SPF permanent errors are interpreted as fail by DMARC. This can have a negative impact on your email deliverability and you should seek a solution to this problem.
I've written a post on this topic: SPF PermError: too many DNS lookups

Point 2nd domain name to existing site whilst retaining email accounts

I tried searching on SO but all answers seem to involve .htaccess and 301 redirects. I am wondering if there is a way to do this just using cpanel and the DNS providers interface.
Simply I own two domain names: mysite.com and thissite.com
Both are currently pointing to servers and both have email addresses associated with them.
I want to point thissite.com to mysite.com without disrupting the email addresses already associated with thissite.com
At first I changed the nameservers of thissite.com to be the same as mysite.com but this disrupted the emails so I quickly changed them back.
I then changed the A record of thissite.com to point to the IP address of mysite.com. The same issue seems to have occurred though - the email addresses are still broken.
Can anyone point me in the right direction here? Thanks
Normally A records are not related to emails. Possibly your email problems caused by DNS still cached since your first experiment.
DNS stores a destination SMTP server where email for the domain in an MX-type record. See what MX record you have for thissite.com.
nslookup
set type=mx
thissite.com
If your domain have correct MX records, then the A record do not matter for emails.

SPF record for an mail server

I use a different server to send mail to my mailing list. I want to add an SPF record to my domain to show that the IP of the different server is authorized to send mail (as well as the default server).
The server sending email in the example is 1.2.3.4 with the main domain of test.co.uk.
So far I have v=spf1 mx a ip4:1.2.3.4/32 mx:test.co.uk ?all", would this work for what I want?
EDIT:
I would be sending mail using sendmail. The SPF record would be to increase % of mail going to inbox and also so we can enforce -all in the near future on SPF.
Try using an online tool like http://www.mtgsy.net/dns/spfwizard.php to generate the SPF record. If you Google for "SPF Record checker", you will find many websites which will even validate the SPF record for your domain.
Let's assume your domain is test.co.uk. This makes mx the same as mx:test.co.uk. Specifying an IP as ip4:1.2.3.4 is the same as ip4:1.2.3.4/32.
That would be enough:
v=spf1 mx a ip4:1.2.3.4 ?all
Make sure you verify your SPF records using a SPF checker. Try the following one.
http://spf.myisp.ch
It does some pretty extensive testing.