마법사와 발송인 정책 구성 (SPF) 영역 DNS TXT 기록을 설치하고 창조하는 방법

SPF (발송인 정책 구성)는 a이다 표준 저것은 돌려보내 경로 스팸 메시지에서 저 상용된 우편물 봉투 SMTP 우편물에 있는 위조했거나 속ㄴ 발송인 이메일 주소를에서 멈추고 삭제하기 위하여 창조되었다. SPF는 단순 전자우편 전송 프로토콜 (SMTP)에 연장으로 작동하고, 릴레이 MTA (우편물 수송 대리인)가 그 권한외와 unapproved 메일 서버에게서 보내진 전자 우편 스팸을 확인하고 거절하는 것을 허용한다.

SPF는 그런 방법에 있는 영역의 전자 우편 납품 가동 일을 가능하게 했다: 인터넷 도메인 이름의 소유자는 영역 지역 DNS 이름 서버에 있는 TXT 기록의 특별한 체재를 사용하여 SPF 기록을 정의한다. SPF는 저 영역을 위한 전자 우편을 전달하기 위하여 어느 기계가 허가하는지 지정한다. 전자 우편이 메일 서버에 의해 주어질 경우, MTA는 DNS 해결책에서 SPF 전자 우편이 정당한 서버로부터 기인된ㄴ다는 것을 결정하기 위하여 기록을 질문할 것이다. SPF 통행 결과가 돌려보내지는 경우에, 전자 우편은 배달해 받아들여지고 얻는다. 그밖에 SPF 실패 결과가 돌려보내지는 경우에, 전자 우편은 거절되고 튀긴다. 아직도 거의 확실하게 현재 SPF 실시로 스팸으로, 걸러지는 전자 우편을, 받아들이는 것은 대중적이지 않 그러나 최대 MTA에 의하여 현재 즉시 SPF 실패 전자 우편을 튀지 않으며, SOFTFAIL로 대신 표를 붙이고, 틀린 SPF 기록 창조의 높은 가능성으로 가지고있ㄴ다.

SPF 기록이 이지 않더라도 a는 해야 한다, 그러나 SPF 불법으로에서 스팸 결함을 멈추기 위하여 기록을 설치하는 좋은 연습 속이고 잊는다 당신 영역의 이메일 주소를이다. SPF가, MX, A, CNAME 및 PTR 기록 같이, DNS 영역 나무 수준의 일부분이기 때문에, 영역 소유자는 이 기록을 창조하는 oder에 있는 영역 DNS 지역 권위있는 서버에 완전통제가 있어야 할 것이다. 가장 중요하게, AOL와 같은 IPSs 및 BellSouth는 지금 그들의 whitelist 프로그램에 있는 포함을 위해 유효한 SPF 기록을 요구한다. 발송인 ID 기록은 불변 MSN/Hotmail 납품을 위해 마이크로소프트에 의해 곧 요구될 것이다.

SPF 기록을 위한 중요한 문제점은 쓰는 방법 이고 영역을 위해 유효하고 정확한 영역을 위한 전자 우편을 보내는 모든 SMTP 서버로 SPF 기록을, 제대로 창조하는 것은 정의되어야 한다. 전형적으로, SPF 기록을 위한 DNS 통어론은 따르기 같이 본다:

example.com. TXT "v=spf1에서 mx - 전부"

이해하는 것은 매우 단단하다. 운이 좋게 웹마스터와 영역 행정관이 쉽게 유효한 SPF DNS 입장을 설치할 것을 돕는 공구가 있다. OpenSPF offers Record Setup Wizard and Microsoft has Sender ID Framework SPF Record Wizard. Although both a wizard, it may still pretty hard to comprehend especially for people exposed to SPF for the first time or novice. Here are some brief explanation of what each questions in the wizards are meant.

First, you must enter the domain name (e.g. example.com) that you want to set up the SPF record. The wizard will then try to retrieve if there is any existing SPF record. If existing record is found, the wizard allows you to modify it, or you can continue to set up the SPF by answering several questions.

For this guide, we will follow Microsoft Sender ID Framework SPF Record Wizard, and cross reference to OpenSPF’s wizard, and OpenSPF’s wizard options can be easily identified by using the symbol A, MX, PTR and etc which are clearly marked.

If the domain does not send any email, check Domain Not Used for Sending E-Mail. All other fields are instantly disabled and grayed out, as it’s no longer useful (and not valid) to define other mechanism. To achieve this options in OpenSPF wizard, mark all radio button as “No”, except the last one (~all) as “Yes”.

If the domain mail server is also the one defined in MX record, check Domain’s inbound servers may send mail in Inbound Mail Servers Send Outbound Mail section. In the same section, the detected MX server host name is displayed. If you have multiple mail servers defined in MX records, and want to specifically allow only some of them to relay mail for the domain, then uncheck the previous option, and tick all the valid outbound e-mail server for this domain. The above two options is represented by mx (green) and mx: (light green) in OpenSPF. Beside, if the domain route emails through the MX server of another domain, such as the ISP, specify the domain names in the box provided too (also as mx: in OpenSPF).

For Outbound Mail Server Addresses, if all the domain web servers (as configured in DNS A record) is also the mail server, then tick the All addresses listed in A records may send mail option. The IP addresses of the detected A record is displayed. Again, if you just want to specify few IP addresses as authorized mail server, select them. You can also enter any additional IP addresses (or ranges of addresses) you wish to add to your SPF record (one address or address range per line), and any additional domain names whose A records refer to valid outbound e-mail servers for the domain. This represent a (green), ip4: and a: (light green) on the OpenSPF wizard.

You can also specify that if a mail server IP address is resolved to your domain name after reverse DNS lookup, it can send the email by ticking All PTR records resolve to outbound email servers. Enter any domain names whose PTR records resolve to valid outbound e-mail servers in the text box provided. In OpenSPF, only PTR is provided, and not PTR: which allows you to enter more domain names. And it suggests that this option is expensive, unreliable and not recommended.

If you have mail sent on behalf of the domain is at times actually delivered to its recipients by the computers of another domain, then fill in the text box in Outsourced Domains section the additional domain names whose SPF records refer to valid outbound e-mail servers. This translate to include: in OpenSPF.

The final section has this question “Does example.com send e-mail from any IP addresses that are not identified in the above sections?” or “Do the above lines describe all the hosts that send mail from surfnova.com?”. This question will translate to one of the following qualifiers for ALL mechanism, which describe how the mail server not matched with SPF record is handled:

• + for a PASS result, this can be omitted.
• - for FAIL, the mail should be rejected.
• ? for a NEUTRAL result interpreted like NONE (no policy).
• ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.

OpenSPF wizard allows only selection of Yes (~) or No (-).

In any case, the Scope section should select Both setting to support all email identities validation, including Purported Responsible Address (PRA) derived from RFC 2822 message headers and MAIL FROM (or reverse-path) address derived from the RFC 2821 protocol’s MAIL command.

Continue next the wizard will generate the SPF record. You will notice that all SPF record start with v=spf1. “v=” defines the version of SPF used, and is mandatory to identify it’s the SPF record. Currently only the only version supported is spf1.

Once get the SPF record, copy and paste the text to the DNS entry as a TXT record. Depending on your DNS system, you may have to exclude the quotation mark (”) when entering the text in DNS system, although the wizard will put the entire text within the quotes.

For those who interested, you can read the definition of A, IP4, MX, PTR and other mechanisms here:

ALL: Matches always, used for a default result like -all for all IPs not matched by prior mechanisms.
A: If the domain name has an A (or AAAA for IPv6 ) record corresponding to the sender’s address, it will match. (That is, the mail comes directly from the domain name.)
IP4: Use IPv4 addresses for verification, match if the sender is in a given IPv4 range.
IP6: use IPv6 addresses for verification, match if the sender is in a given IPv6 range.
MX: If the domain name has an MX record resolving to the sender’s address, it will match. (That is, the mail comes from one of the domain’s mail servers)
PTR: If the Forward Confirmed reverse DNS domain of the sending IP ending in the domain name.
EXISTS: If the given domain resolves, match (no matter the address it resolves to). Rarely used, along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE: If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

Actually all of the above mechanisms can mix and match with 4 qualifiers mentioned earlier. But due to the limit of wizard, not all options are available. And for complicated use, there are modifiers such as REDIRECT. And normally, when one condition is matched, the email will get a PASS. So if your mail system is simple, simply define the MX or IP address will work as mentioned.

For example, mydigitallife.info has the following SPF record, “v=spf1 ip4:75.127.69.98 mx a:host.mydigitallife.info mx:mydigitallife.info ~all”. A lot of duplication, but at least the email will send correctly.

To check if your SPF record is correct, there are various http://www.kitterman.com/spf/validate.html“>SPF checker, tester or validator available, including My Digital Life’s SPF Validation - Sender Profile Framework Testing and Checking Tool.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

Related Articles

• How to Check, Test and Validate SPF Record in DNS is Correct and Valid
• SPF Validation - Sender Profile Framework Testing and Checking Tool
• Lowest Number MX Record Points to Local Host Rejected RCPT Error
• Domain Does Not Have Any NS Records Error at DNSStuff.com or DNSReport.com
• Email Bounces Back with “unrouteable mail domain” Error
• Free DNS (Name Server) Hosting Services
• Tools
• How to Flush and Reset DNS Cache
• Google Domain Names Registration and Search for Free Apps for Your Domain
• How to Activate and Use FeedBurner MyBrand for Free

This entry was posted on Wednesday, August 8th, 2007 at 1:36 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.