SPF Configurations

Jeffrey_Negro1 · December 4, 2009, 4:25pm

I'm wondering if a few DNS experts out there could give me some input on
SPF record configuration. Our company sends out about 50k - 100k emails
a day, and most emails are on behalf of customers to their end users at
various domains (no, we're not spammers, these are email notifications
the end users have requested to receive). Some customers insist on
making the FROM address use their domain name, but the emails leave our
mail servers on our domain. SPF seems to be the way we could possibly
avoid more spam filters, and delivery rate is very important to our
company.

The server configuration consists of a mail server that sends outbound
only, out of a specific IP with proper MX, A, and PTR records. This is
a sample of the SPF configuration I believe would be correct:

Our company (example.com) records:

IN MX 10 mail.example.com

mail IN A
<ip address>

example.com IN TXT "v=spf1 mx -all"

example.com IN SPF "v=spf1 mx -all"

mail IN TXT
"v=spf1 a -all"

mail IN SPF
"v=spf1 a -all"

customer.com IN TXT "v=spf1
include:example.com -all"

customer.com IN SPF "v=spf1
include:example.com -all"

Our customer's (customer.com) records:

IN MX
10 mail.customer.com

mail IN A
<ip address>

customer.com IN TXT "v=spf1 mx -all"

customer.com IN SPF "v=spf1 mx -all"

mail IN TXT
"v=spf1 a -all"

mail IN SPF
"v=spf1 a -all"

customer.com IN TXT "v=spf1
include:example.com -all"

customer.com IN SPF "v=spf1
include:example.com -all"

I derived this from this tutorial:
http://www.zytrax.com/books/dns/ch9/spf.html .

The other part of this that may be of importance would be the NATing.
The FQDN that the world sees for the outside address of the NAT is not
the same as the inside FQDN that Postfix is using internally. Does this
cause any problems with SPF?

Any comments or suggestions would be great. Thanks in advance!

Jeffrey

Suresh_Ramasubramani · December 5, 2009, 1:33am

SPF records aren't going ot help as much as some list sending and
deliverability best practices (feedback loops etc) are.
Look at the MAAWG senders best practices document - www.maawg.org ->
Published Documents

Other than delivery to hotmail, spf is a total waste of time - plus it
plays russian roulette with whatever email you handle

Dave_CROCKER2 · December 5, 2009, 5:11am

Jeffrey Negro wrote:

SPF seems to be the way we could possibly
avoid more spam filters, and delivery rate is very important to our
company.

You've seen the anti-SPF rants. At the least, they should make clear to you that you should use SPF only and exactly for specific destinations that you already know require it. If you have any doubts about the requirement, you'll try to verify it; otherwise assume SPF won't solve your problems.

The other obvious mechanisms for validated identification to receiving operators is, of course, with DKIM. DKIM is entirely comfortable having a validated identifier (the d= parameter in the signature header field) be different than whatever is in the author header field (From:)

But either way, that's just identification.

As already noted on the thread, what matters most is the set of content and operations practices, to establish a rock solid reputation both of you and of your clients.

d/