0

I have a domain who's users send email from an isp's smtp server. I'm trying to set up SPF for that domain using:

v=spf1 a mx include:mail.isp.com ~all

When I checked the record using The 2nd tool at http://www.kitterman.com/spf/validate.html it gave me an error becuase the isp doesn't have SPF records for their domain.

My main question - Does this mean I should just not use SPF? Will this cause problems leaving in the record for their normal email use? I have a list I need to send out so I'm trying to be as proactive as possible to make sure it delivers well.

Also, a side issue is my SPF record does not show up via the 1st tool at http://www.kitterman.com/spf/validate.html even thogh I'm fairly certain DNS has propagated. I'm giving it another day before I worry about that too much but wanted to mention it in case it's related.

Edit: Ok, I figured out that while mail.isp.com has no SPF records, isp.com does. Here it is(with a hypothetical ip address):

v=spf1 ip4:198.16.0.0/24 ?all

What confuses me is that the ip address of mail.isp.com is included in that ip range. I guess I can do the same thing with an ip range and see how that works out, and count the range as neutral with ? or something. But why isn't specifying the domain working in this case?

Syntax Error
  • 159
  • 8

1 Answers1

2

The idea behind SPF is to identify to the receiving servers which IPs/hostnames are allowed to send mail for the particular domain. Since the ISP does not have SPF records, you should explicitly list them in your domain's SPF record. Mail sent from any of the IPs listed in your SPF record will be successfully "authenticated". You can probably request a list of IPs from the ISP, but bare in mind that if they change the IPs around, and your SPF record is not in sync, you run the risk of having mail coming out of the new IP tagged as SPAM.

You may want to request that the ISP publish SPF records to allow you to automatically include them in your own. This way it will avoid the problem just mentioned. This is common practice these days and the ISP should be up to speed. Major email providers, such as Google, Yahoo and Hotmail weigh domains with correct SPF records heavily in their favour.

Regarding the actual publishing of the record, you can try querying your authoritative servers directly to see if they've at least made it to there. You can do the following on a command line:

$ dig YOURDOMAINS @YOUR_AUTH_NS

If it is available via the name server, but still has not made it to the rest of the web, check on your domain's SOA record to make sure the serial number was incremented. If it's not published by the name server, you should check with the provider to see what the problem is.

Good luck!

vmfarms
  • 3,117
  • 20
  • 17
  • Thanks, this was helpful so far. For now I have removed my records and contacted the isp in question. I have also appended an edit to my question with more information if you don't mind offering an opinion. – Syntax Error Aug 27 '10 at 16:54
  • Ah, if the isp.com has SPF records, that's more that sufficient. What you should do then is include their SPF record neutrally, like so: `v=spf1 a mx ?include:isp.com ~all`. This should work in this case and allow the ISP to make changes while allowing your records to remain intact. – vmfarms Aug 27 '10 at 18:00
  • Wonderful! And the best part is I'm actually starting to understand how it all works ;) – Syntax Error Aug 27 '10 at 18:27