Loading ...
Sorry, an error occurred while loading the content.

Setting up SPF in Postfix for sending

Expand Messages
  • Rob Tanner
    I ve googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about
    Message 1 of 9 , Aug 15, 2013
    • 0 Attachment
      I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it. And the dearth of information in that category also begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups? What is it, besides adding the correct the DNS TXT records, do I need to do on my end.

      Thanks,
      Rob
    • Titanus Eramius
      ... You can t, since it s up to the receiver to do whatever checks they wish. That includes SPF. ... Nope, nothing to setup in Postfix to support SPF on
      Message 2 of 9 , Aug 15, 2013
      • 0 Attachment
        Thu, 15 Aug 2013 22:56:53 -0700 skrev Rob Tanner <rtanner@...>:

        > I've googled around a quite a bit and while I can find lots of
        > instruction on what I need in order for Postfix to validate incoming
        > mail, I find nothing about what I need to do to make sure Postfix
        > does whatever it needs to do to make sure the MTA receiving the mail
        > validates it. And the dearth of information in that category also

        You can't, since it's up to the receiver to do whatever checks they
        wish. That includes SPF.

        > begs the question, is there a special header that Postfix need to
        > include in the message (as in DKIM) or do the receiving MTAs, if
        > they're setup to use SPF just automatically do the DNS lookups? What
        > is it, besides adding the correct the DNS TXT records, do I need to
        > do on my end.

        Nope, nothing to setup in Postfix to support SPF on outgoing mail,
        besides making sure the TXT / SPF record matches the sending server. I
        tend to simply use "v=spf1 mx -all" since my setup is simple, but you
        can see the entire syntax here
        http://www.openspf.org/SPF_Record_Syntax

        > Thanks,
        > Rob

        Cheers
      • Stan Hoeppner
        ... Nothing else. Just the TXT record in DNS. This should have been clear to you after reading the receiver side requirements, i.e. how the receiver checks
        Message 3 of 9 , Aug 16, 2013
        • 0 Attachment
          On 8/16/2013 12:56 AM, Rob Tanner wrote:
          > I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it. And the dearth of information in that category also begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups? What is it, besides adding the correct the DNS TXT records, do I need to do on my end.

          Nothing else. Just the TXT record in DNS. This should have been clear
          to you after reading the receiver side requirements, i.e. how the
          receiver checks SPF records.

          --
          Stan
        • btb@...
          ... as there is a formal dns rr type for spf defined in rfc4408, you ll of course want to include that as well. -ben
          Message 4 of 9 , Aug 16, 2013
          • 0 Attachment
            On Aug 16, 2013, at 01.56, Rob Tanner <rtanner@...> wrote:

            > What is it, besides adding the correct the DNS TXT records

            as there is a formal dns rr type for spf defined in rfc4408, you'll of course want to include that as well.

            -ben
          • Scott Kitterman
            ... I wouldn t bother. It has only very limited deployment and is proposed for removal in the revision to RFC 4408 that is about to enter IETF last call. The
            Message 5 of 9 , Aug 16, 2013
            • 0 Attachment
              btb@... wrote:
              >On Aug 16, 2013, at 01.56, Rob Tanner <rtanner@...> wrote:
              >
              >> What is it, besides adding the correct the DNS TXT records
              >
              >as there is a formal dns rr type for spf defined in rfc4408, you'll of
              >course want to include that as well.

              I wouldn't bother. It has only very limited deployment and is proposed for removal in the revision to RFC 4408 that is about to enter IETF last call.

              The is, however, unrelated to postfix. Either spf-discuss or spf-help would be appropriate. See www.openspf.org/Forums for information about these lists.

              Scott K
            • btb@...
              ... interesting. thank you for calling attention to this. -ben
              Message 6 of 9 , Aug 16, 2013
              • 0 Attachment
                On Aug 16, 2013, at 15.06, Scott Kitterman <postfix@...> wrote:

                > I wouldn't bother. It has only very limited deployment and is proposed for removal in the revision to RFC 4408 that is about to enter IETF last call.

                interesting. thank you for calling attention to this.

                -ben
              • Hans Spaans
                ... You may want to check thread 9.3.3 - SPF record checks from May 30 2013 on the bind-users mailinglist. Hans
                Message 7 of 9 , Aug 17, 2013
                • 0 Attachment
                  Scott Kitterman schreef op 2013-08-16 21:06:
                  > btb@... wrote:
                  >> On Aug 16, 2013, at 01.56, Rob Tanner <rtanner@...> wrote:
                  >>
                  >>> What is it, besides adding the correct the DNS TXT records
                  >>
                  >> as there is a formal dns rr type for spf defined in rfc4408, you'll of
                  >> course want to include that as well.
                  >
                  > I wouldn't bother. It has only very limited deployment and is proposed
                  > for removal in the revision to RFC 4408 that is about to enter IETF
                  > last call.

                  You may want to check thread "9.3.3 - SPF record checks" from May 30
                  2013 on the bind-users mailinglist.

                  Hans
                • Scott Kitterman
                  ... He s wrong about what most SPF libraries do. Most don t query for the RR type at all, but we ll see how the IETF last call works out. It is a matter of
                  Message 8 of 9 , Aug 17, 2013
                  • 0 Attachment
                    On Saturday, August 17, 2013 12:16:03 Hans Spaans wrote:
                    > Scott Kitterman schreef op 2013-08-16 21:06:
                    > > btb@... wrote:
                    > >> On Aug 16, 2013, at 01.56, Rob Tanner <rtanner@...> wrote:
                    > >>> What is it, besides adding the correct the DNS TXT records
                    > >>
                    > >> as there is a formal dns rr type for spf defined in rfc4408, you'll of
                    > >> course want to include that as well.
                    > >
                    > > I wouldn't bother. It has only very limited deployment and is proposed
                    > > for removal in the revision to RFC 4408 that is about to enter IETF
                    > > last call.
                    >
                    > You may want to check thread "9.3.3 - SPF record checks" from May 30
                    > 2013 on the bind-users mailinglist.

                    He's wrong about what most SPF libraries do. Most don't query for the RR type
                    at all, but we'll see how the IETF last call works out. It is a matter of
                    some controversy.

                    Thanks,

                    Scott K
                  • Michael Grimm
                    On 16.08.2013, at 08:50, Titanus Eramius wrote: [DNS] ... Hmm, I used to have just that configuration in my DNS for more than a year, but
                    Message 9 of 9 , Aug 17, 2013
                    • 0 Attachment
                      On 16.08.2013, at 08:50, Titanus Eramius <titanus@...> wrote:

                      [DNS]

                      > I tend to simply use "v=spf1 mx -all" since my setup is simple, but you
                      > can see the entire syntax here http://www.openspf.org/SPF_Record_Syntax

                      Hmm, I used to have just that configuration in my DNS for more than a year,
                      but very recently I got some rejections upon delivery of mails from my
                      published mx records (mx1.my-domain.tld and mx2.my-domain.tld) in DNS stating:

                      | An SPF-enabled mail server rejected a message from a mail server claiming
                      | to be mx1.my-domain.tld.
                      |
                      | An SPF-enabled mail server received a message from mx1.my-domain.tld (1.2.3.4)
                      | from a mail server claiming to be mx1.my-domain.tld.
                      |
                      | The domain mx1.my-domain.tld has not published an SPF policy. It is possible
                      | that the receiving mail server refuses all mail from domains that do not have
                      | an SPF policy.

                      I do understand http://www.openspf.org/SPF_Record_Syntax that the "mx" in
                      "v=spf1 mx -all" will tell: "Accept mail from *any* published mx of a given
                      domain", right?

                      For he time being (before I really do understand SPF) I'm back to run DNS
                      without SPF, shrug.

                      Regards,
                      Michael
                    Your message has been successfully submitted and would be delivered to recipients shortly.