3

Let say I have these IP addresses on my server:

  • 170.120.210.209 gateway
  • 170.120.210.210 server IP
  • 170.120.210.211
  • 170.120.210.212
  • 170.120.210.213
  • 170.120.210.214
  • 170.120.210.215
  • 170.120.210.216
  • 170.120.210.217
  • 170.120.210.218
  • 170.120.210.219
  • 170.120.210.220
  • 170.120.210.221
  • 170.120.210.222

I am now willing to setup SPF record for my domain but don't want to write each IP one by one. Could you please tell me the short way of this?

How can I convert these IP addresses into CIDR notation?

Is this correct?

170.120.210.210/28

Thanks for your help.

Willy
  • 225
  • 1
  • 5
  • 9

3 Answers3

2

Yes that is the correct CIDR notation, although you should only be putting in the ips of machines that will be sending mail not all of your IP's into the SPF record.

Zypher
  • 37,405
  • 5
  • 53
  • 95
2

See this ServerFault question and answers: SPF include: too many IP addresses

Note that you probably shouldn't use IP addresses. There is also a limit of 10 queries for A, AAAA records.

Community
  • 1
Wesley
  • 32,690
  • 9
  • 82
  • 117
  • AFAIK it's actually 10 DNS queries, not 10 queries period. DNS queries happen if you use host names, not IP addresses. – Kane Sep 10 '15 at 15:47
2

170.120.210.210/28 isn't strictly valid, since 210 isn't a multiple of 16 - more accurately you should use 170.120.210.208/28.

I'm going to assume that you're worried about external third parties faking e-mail from you, and that all of the machines in your /28 are under your control.

In those circumstances, don't worry about the fact that some of those 16 addresses in the range (.208 - .223) aren't actually your mail server. Because SMTP relies on TCP/IP, the chances of some third party managing to fake an SMTP connection using one of your unused IP addresses is pretty close to negligible.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • Agreed that the boundray of this network is .208. – dbasnett May 17 '10 at 19:01
  • Great, thanks for the explanation. Everything about CIDR is now clear :) So, setting an SPF record for 170.120.210.208/28 will not cause any problem even some of those IPs are not my mail server. – Willy May 18 '10 at 13:02
  • The only problem it could cause is if someone in your network was sending spam from one of those IPs, they could masquerade as your mailserver and your SPF record would confirm this. That's a highly unlikely situation; regardless your SPF record would incorrectly state that e-mail is allowed to be sent from those IPs. – Chris S May 18 '10 at 14:04
  • yep - that caveat was (I hope) clear in my answer. – Alnitak May 18 '10 at 16:19