SPF records - have I got it right?

Menathor · #1 01-06-2007, 06:14 PM

Hi all,

I've been getting heaps of email bounce-backs lately - seems spammers have been using email addresses from my domain in their "FROM" header.

I've been told adding SPF records to my DNS zone for each of my domains will solve the problem (or at least most of the problem). As a shared user, I don't have WHM and can't add it myself - I need to get HG support to do it for me.

Before I ask them to, I want to make sure I've got it right!

Here are the lines for the 2 domains I have linked to my web hosting:

thesunpilots.com. IN TXT "v=spf1 a mx include:internode.on.net ~all"

and

honeytraprecords.com. IN TXT "v=spf1 a mx include:internode.on.net ~all"

Are these correct? I've included internode.on.net as this is my ISP (which I send mail from).

HG support - could you comment as well?

Cheers,
Menathor

psylenced · #2 01-06-2007, 07:32 PM

I'm interested in the answer too. I have been getting many of these bounceback emails per day from someone sending spam under my domain name.

luckyrat · #3 01-07-2007, 11:29 AM

Menathor, that's all correct.

That SPF record will result in a SOFTFAIL for any emails that come from spammers. That seems to be the normal way of configuring SPF although there is also a FAIL status too which you would normally be able to enforce by removing "~all" from the end of the SPF record.

In your specific case however, the SPF record of your ISP includes an ~all statement so removing it from your record would have no effect. I'm not sure why people go for the SOFTFAIL rather than FAIL approach but I wouldn't want to rock the boat and have followed the ~all approach with my SPF record too.

HG support told me to use a free nameserver service in order to allow me to configure the TXT entry in the zone which I did becuase there were other (now irrelevant) advantages to using third party nameservers. They may be able to just add the record for you though so open a ticket and ask nicely :-)

For more information on SPF see http://www.openspf.org/ and to test your SPF record (now or when it's active) go to http://www.dnsstuff.com/pages/spf.htm

Menathor · #4 01-07-2007, 09:53 PM

Thanks luckyrat - very nice explanation.

HG support have been kind enough to add the records for each of my domains, and they seem to check out. Now I just have to send a few test emails to make sure all is ok - but fingers crossed it will be!

Menathor · #5 01-08-2007, 05:00 PM

Hmmmm.... seems that I'm still getting some bounced emails. Either SPF isn't set up correctly (although dnsreport says it is?) OR the bounces are coming from mail servers which don't check the SPF record. Can anyone confirm that this would be the reason?

I THINK the number of bounces has reduced, although I'm not 100% sure.... Are there any other measures I can take to reduce this problem further?

luckyrat · #6 01-09-2007, 04:21 AM

It's likely that the bounces are coming from servers which don't check SPF records (it's still a relatively rare practice).

I noticed a small drop in the number of bounced messages after switching on SPF but the best way to stop them is to not use a "catch all" email address for your domain. That way all the randomly used email addresses for your domain will just bounce into a black hole. I still use a catch all but I've got half an eye to disabling it in the future.

Hopefully checking SPF records will become more common in the next year or two and the levels of spam will gradually reduce but at the moment it is sadly not likely to result in a massive ddrop in the amount of backscatter you receive.

It's probably not an option for a shared hosting account but there might be some way that you could automatically probe into the headers of the bounced email to find out if it originated on the server you use to send email (in other words, perform an SPF check yourself on the mail that the bounce message claims that you sent). However, there might be too many different implementations of bounce messages to make this a practical solution. I've never tried this myself so I'm not sure if there is a way to do it at this time. Maybe someone else can expand on the idea but I expect that implementing it would require some ability to change things on the server that a shared account wouldn't allow.

swexpert · #7 01-09-2007, 01:05 PM

Hi,
The bounces should ideally increase after adding an SPF if you have a capture all account enabled. This is because the remote MTA will reject messages sent by spammers....

Example if I send a mail-from "delta(@)thesunpilots(.)com" now, it will get rejected but the bounce message will goto Menathor, not me. so it implies that if you get a large bounce-backs, then your domain email has been widely been used by spammers...but is now somewhat protected

Regds
IJ

luckyrat · #8 01-09-2007, 04:01 PM

Quote:

Originally Posted by swexpert

Hi,
The bounces should ideally increase after adding an SPF

I see your point. I'm not entirely sure whether it's usual for a mail server to bounce back messages that failed an SPF test - I might be tempted to just send them into a blackhole. In the case of a SPF softfail though I might be a bit more lenient and send a bounce message as you suggest. :-)

However, I did see a noticeable drop after adding SPF records to my domain. This drop corresponded to a period of increased spam at my work domain so although I won't rule out a coincidental drop, it looks like it was the result of adding the SPF record.