Thread: SPF Mechanisms

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2

    SPF Mechanisms


    http://www.openspf.org/SPF_Record_Syntax#all

    I want to add a TXT Record in my DNS Settings to prevent spams. I am looking at different SPF Mechanisms in the above URL and wondering which mechanisms I use in the value so that I can efficiently prevent spams. I can find different mechanisms like ip4, ptr, a, mx etc. Which one is better ? I think I can use a combination. So which combination is the best ?

    Currently I use this setting
    Code:
    @   "v=spf1 ip4:IP_ADDRESS -all"
    If I use ip4, then my outgoing emails will contain my Static IP Address. Is that safe ?

    I have an A Record with hostname as @ and an MX Record.

    Please suggest.

    Thanks.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Your TXT record is just fine. There are many ways to get your IP address, so including it is not an issue. SPF has it's own record type now (type 99), so if your DNS supports it, you should also include it (make sure it agrees with the TXT record).

    In my own experience, SPF by itself won't achieve your goal. SPF did not succeed because it failed to address forwarded messages and there was no feedback mechanism. Consequently, few receivers ever bounced messages, even though they failed SPF. I was receiving 10,000 to 15,000 connection attempts per day to an email domain that had not existed for 15 years, even though it had an SPF record of "v=spf1 -all" and no MX record. So I enabled the MX record and added a Pseudo SMTP server that bounced all messages after the MAIL FROM:. That dropped the connection attempts down to 1,200 to 1,500 per day, and as many as 15 simultaneous connections.

    Examining the logs, I discovered that many of the attempts were from receivers attempting to bounce emails after DATA (backscatter). The biggest offenders were the big 3 (Yahoo, Gmail, & Hotmail). At the time, these 3 and others were developing DMARC, in an attempt to reduce phishing. It still did not address forwarding, but at least it had a feedback mechanism. DMARC works on top of SPF and DKIM. So I added DKIM and DMARC records with instructions to delete everything. At first, I only got feedback from Gmail, and it confirmed that my domain name was being very badly abused by spammers. As more DMARC users have come online, the connection attempts have dropped to 100 to 150 a day and only 2 to 3 simultaneous connections.

    I attribute part of my success to DMARC, and I would strongly recommend that you investigate it's implementation.

    J.A. Coutts
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Originally Posted by couttsj
    Your TXT record is just fine. There are many ways to get your IP address, so including it is not an issue. SPF has it's own record type now (type 99), so if your DNS supports it, you should also include it (make sure it agrees with the TXT record).
    THanks for the reply. I will research about DMARC also. I was thinking if I do the following then will it do additional checking in the A Record.

    Code:
    @   "v=spf1 a mx ip4:IP_ADDRESS -all"
    Also I had an email ID that I used for searching jobs. It was harvested by spams. Recently, I deleted that email id, as it is no longer needed. But in the /var/log/mail.log, I am able to see connection attempts, which is trying to deliver spam emails to that deleted email ID. I am seeing this everyday now. Is it possible for me to do anything additional in the DNS to stop this ? Will it affect my other email ID's in the same domain ?

    Thanks.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Hello coutts,

    As per your advise, I have implemented DMARC. Everything went fine untill now. But when I sent an email to eevblog.com, I get an SPF fail. Please see the following Report that I got.

    1. The source_ip is not mydomain.org's ip. It is changed to eevblog.com's ip.

    2. What does that "forwarded" mean ? (I guess, eevblog doesn't have a mail server of its own.)

    3. Why there are two <record><row> tags in the following XML ? Usually there will be only one.

    4. Is there anything I have to do in mydomain to fix this ?

    Please provide your comments. Thanks.


    <?xml version="1.0" encoding="UTF-8" ?>
    <feedback>
    <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>http://support.google.com/a/bin/answer.py?answer=2466580</extra_contact_info>
    <report_id>1021396111114160563</report_id>
    <date_range>
    <begin>1374537600</begin>
    <end>1374623999</end>
    </date_range>
    </report_metadata>
    <policy_published>
    <domain>mydomain.org</domain>
    <adkim>s</adkim>
    <aspf>s</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>50</pct>
    </policy_published>
    <record>
    <row>
    <source_ip>198.1.64.143</source_ip>
    <count>2</count>
    <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
    <reason>
    <type>forwarded</type>
    <comment></comment>
    </reason>
    <reason>
    <type>sampled_out</type>
    <comment></comment>
    </reason>
    </policy_evaluated>
    </row>
    <identifiers>
    <header_from>mydomain.org</header_from>
    </identifiers>
    <auth_results>
    <dkim>
    <domain>mydomain.org</domain>
    <result>pass</result>
    </dkim>
    <spf>
    <domain>mydomain.org</domain>
    <result>fail</result>
    </spf>
    </auth_results>
    </record>
    <record>
    <row>
    <source_ip>198.1.64.143</source_ip>
    <count>1</count>
    <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
    <reason>
    <type>forwarded</type>
    <comment></comment>
    </reason>
    </policy_evaluated>
    </row>
    <identifiers>
    <header_from>mydomain.org</header_from>
    </identifiers>
    <auth_results>
    <dkim>
    <domain>mydomain.org</domain>
    <result>pass</result>
    </dkim>
    <spf>
    <domain>mydomain.org</domain>
    <result>fail</result>
    </spf>
    </auth_results>
    </record>
    </feedback>
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    One of the drawbacks of SPF is that it breaks when mail is received by one server and forwarded to another. DMARC fails only when both SPF and DKIM fail. When both fail and you have it configured to reject failed messages you will see the line:
    <disposition>reject</disposition>
    Setting it to this this mode if fine in my case because I do not have an operational Mail Server, and DMARC reports provide me with a record of domain abuse. In your case, you can see:
    <disposition>none</disposition> because SPF failed, but DKIM passed. There are known cases when dealing with Mail Lists where both SPF and DKIM will fail.

    J.A. Coutts
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    I understand that this is a usual behavior of SPF when forwarding. So do I have to change anything on my side ? Thanks.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Originally Posted by aniyanrajan6
    I understand that this is a usual behavior of SPF when forwarding. So do I have to change anything on my side ? Thanks.
    There is nothing you can do about it unless you want to add the forwarders to your SPF settings, and that could be a very fruitless task. DMARC was basically designed to combat phishing, and not particularly spam. Another one of the drawbacks of SPF was that there was no feedback mechanism to sort out delivery problems, and DMARC addresses that issue. What DMARC did for me was to dramatically reduce spammers using our domain to send spam through the big 3, and the subsequent back scatter from the big 3.

    J.A. Coutts

IMN logo majestic logo threadwatch logo seochat tools logo