0

Newly created spf record for one of our domain . texxxxx.com

goes like this

teXXXXXX.com v=spf1 a mx ptr ip4:189.123.111.000 mx:teXXXXX.com -all ( not real values)

and mxtool spf check proviede following result

  • a Pass Match if IP has a DNS 'A' record in given domain

  • mx Pass Match if IP is one of the MX hosts for given domain name

  • ptr Pass Match if IP has a DNS 'PTR' record within given domain

  • ip4 189.123.111.000 Pass Match if IP is in the given range

  • mx texxxxxx.com Pass Match if IP is one of the MX hosts for given domain name

- all Fail Always matches. It goes at the end of your record.

I dont know why the last line result for -all failing is it the issue to concern ??

panindra
  • 121
  • 2
  • 5

1 Answers1

3

SPF is checked in order. If the ip address of teXXXXXX.com matches the ip address of the connecting mail server, SPF passes, and it stops evaluating. It will only give a fail/negative result if none of the previous entries didn't pass. That is what -all means.

becomingwisest
  • 3,328
  • 20
  • 18
  • is this thing to worry because some suggest to use ~all instead of -all .. what s your suggestion . and what you said is true .. then you can see my all previous records are passed then how come this -all failed . – panindra Feb 16 '12 at 04:52
  • It's not failing the SPF checking tool - it's designating that addresses other than the ones you're specifying should fail the SPF check. That's exactly as it should be - the reason that you have SPF is to make checks fail for unauthorized addresses. – Shane Madden Feb 16 '12 at 04:58
  • @Shane Madden is this mean that SPF record is perfect for My Domain . and is this what should be for Ideal Scenario for Single Domain mail server . because google apps prefers ~all instead of -all . is this makes difference to my mail server security – panindra Feb 16 '12 at 05:17
  • 1
    @panindra Regarding fail versus softfail, please see [here](http://serverfault.com/a/355513/72586). You haven't provided enough information to tell whether it's appropriate for your domain. The idea is that you need to specify all servers that are authorized to send mail - have you done that? – Shane Madden Feb 16 '12 at 05:35
  • @shane Madden we are using only one domain & single IP for this mail server to send mail , is it required go for soft fail , unless some unautorized mails from spammers hijacking, we are sure that we only going to use this sane Ip Send mail. – panindra Feb 16 '12 at 05:53
  • @ShaneMadden I prefer not allow any other server than my current Mail server configured to send mail from my static IP for MY DOmain . so used -all (fail) is this assures that Spammers are less chance to hijack my mail server to send Spams ?? – panindra Feb 16 '12 at 06:01
  • 1
    Yes, that's correct - if you're certain that only your allowed server should be sending mail, then `-all` tells recipient servers more emphatically than `~all` to reject mail from other servers. – Shane Madden Feb 16 '12 at 06:05