SPF thingymajigisms

antic

antic

Perch
I'm getting dazed and bemused reading the docs about SPF... can someone answer what is hopefully a simple question?

A client's domain is being used by someone to send spam. SPF is ON for their domain, and set to "Pass". If I simply change it to "Fail" will that stop people using that domain to send spam?

The client doesn't use Jodo's mail servers for SMTP, they send using their ISP's SMTP server. So I assume somewhere I need to add their ISP's mail server IP to the list of accepted IPs for that domain? How/where do I do that? I assume that, by default, the only IP listed as OK for that domain is the one mapped to mail.theirdomain.com, yes?

If I have to force them to use mail.theirdomain.com as their SMTP server, that's no big deal, if there's no way of adding other IP's to HSphere's SPF whitelist. It's also possible that I have no idea what I'm saying right now. :)

Simple language please with happy drawings in red and green texta.
 
A client has had similar problems recently. I set up SPF, but it doesn't seem to have made much difference as few servers seem to check the record as yet. It doesn't stop other people sending mail as you, just reduces the number of rejection notices a little.

To set up SPF, you can go to the mail config screen in CP and select SPF and then select 'fail'. This will fail any mail coming from any server that isn't associated with the A and MX records. Certainly the easiest thing to do is to have them send mail through the JH servers, and that should do it.

However, if you want to add an ISP, you need to do it through the DNS config.

Go to DNS configuration (from the 'Edit domain' screen).
At the bottom, there should be no 'built-in TXT records' for SPF. This is where one will appear if you have previously set up SPF using the SPF button. If there is one there, delete it.

Then click 'Add DNS TXT record'. In 'Data', type:

v=spf1 a mx ptr:theirisp.com -all

You need to check mail sent through their ISP to see which domain it's really coming from. Just use the last bit in place of 'theirisp.com' above.
This should pass mail that goes through the usual jh mail servers and web servers, and also their ISP, and 'hard' fail all others. A hard fail (-all) is risky, as it will fail mail if they use anyone else's PC or ISP (roaming wi-fi access, maybe). There are other options for this.

I've had varying success with this. I set it up on a domain that uses mail3. and it worked with no problem.
On a domain using mail1, it seems Hsphere didn't properly clean up after itself when I deleted previous entries. At some level, it ended up with multiple SPF records and this stopped the whole thing from working properly. They didn't show up in Hsphere, but showed up at dnsreport.com when I checked the domain. JH support cleared the multiple records manually, but I still couldn't get it to work for this domain and gave up.

You can check SPF operation at http://www.dnsstuff.com/pages/spf.htm

The SPF record is DNS info, so it does get cached for a time and making changes won't always have the desired affect until it is refreshed. So try to get it right first time... :)
 
Way cool Bro, thanks a million! I needed those practical examples, will bookmark this one. :) Cheers!
 
You must log in or register to reply here.
Back
Top