In follow up to my question here, how on earth do I setup a SPF record?!?
I understand that I have to add a TXT record to my DNS entries but what to put in that TXT entry is what's confusing me...
I have a Windows 2008 VPS with two IPs - x.x.x.10 & x.x.x.20
I have two RDNS records for x.x.x.10 => bob.charlino.com & x.x.x.20 => simon.charlino.com
I have a web application setup on the server vallenous.com (note: different from the rDNS entries)
vallenous.com is setup to use google apps for email BUT I do wish to send some emails from the web application itself through the local SMTP server (IIS6 SMTP) on my VPS.
In response to the answers to my previous question, I've set the FQDN in my smtp virtual server to equal bob.charlino.com because when you send an email through the vallenous.com web applicaiton it seems to come from x.x.x.10.
Was this the correct thing to do? I noticed when I did this google mail wasn't giving it a soft fail anymore...
Secondly, how on earth do I setup the SPF record? I've done some googling but it all just confuses me. I need to setup it for google apps (which is outlined here) but I also need to set it up so I can send from my VPS.
And yes, I've seen a couple of SPF generater thingies but they aren't really clearing up any confusion... just adding to it really.
Answer
I'd suggest that you need the following in your TXT record:
"v=spf1 mx ip4:x.x.x.10 include:aspmx.googlemail.com ~all"
This was generated by the first SPF generator you linked to.
It states that your domain is using SPF v1.
The mx keyboard states that any server listed in a DNS MX record as a mail server is allowed to send mail from this domain.
The ipv4: bit states that the given IPv4 address is allowed to send mail from this domain.
The include: part states that any server allowed to send mail for the aspmx.googlemail.com domain is also allowed to send for your domain - this bit lets google apps email work. If google add/change which servers they use, they will change their SPF record for their aspmx.googlemail.com domain (and hence your domain will carrying on working without needed to be changed any time google make a change...)
The ~all part states that the previous parts should be all the allowed mail servers. Any other server sending email claiming to be from this domain is probably in error - accept the email but you might want to check it more thoroughly for spam,etc.
If you use -all instead of ~all, it states that any other server sending email claiming to be from this domain is definitely in error - don't accept the email (or accept and delete it). Google recommend you don't use this setting as it can be a bit over-vealous and lead to mail being lost.
No comments:
Post a Comment