如何设定和创造发令者政策结构(SPF)领域DNS TXT纪录与巫术师

SPF (发令者政策结构)是a 标准 那在邮件信封SMTP邮件从或返回道路被创造为了停止和消灭伪造的或被欺骗的发令者电子邮件那常用在发送同样的消息到多个新闻组消息。 SPF运作作为引伸到简单邮件传送规约(SMTP)，并且允许中转MTA (邮件运输代理)辨认和拒绝那些从未批准和未经同意的邮件服务器送的电子邮件发送同样的消息到多个新闻组。

SPF使能领域的电子邮件交付操作工作用这样方式： 互联网域名的所有者使用TXT纪录一个特别格式在领域区域DNS名服务器定义了SPF纪录。 SPF指定哪些机器被批准传送电子邮件为那个领域。 当电子邮件由邮件服务器接受， MTA将询问SPF纪录从DNS果断器确定电子邮件是否起源于一台合法的服务器。 如果SPF通行证结果返回，电子邮件被接受并且得到交付。 如果SPF出故障结果返回，电子邮件被拒绝并且被弹起。 多数MTA不立刻当前弹起SPF出故障电子邮件和用SOFTFAIL改为标记它，而仍然接受电子邮件，很可能被过滤作为发送同样的消息到多个新闻组，作为当前SPF实施不是普遍的，并且有创造错误SPF纪录高潜力。

虽然SPF纪录不是a必须，但它是很好的练习设定SPF纪录从非法地停止发送同样的消息到多个新闻组缺点欺骗并且忘记您的领域的电子邮件。 因为SPF，象MX、A、CNAME和PTR纪录，是DNS领域树水平的一部分，领域所有者在创造这个纪录的奥得河将必须有完全控制到领域DNS区域权威的服务器。 最重要，某IPSs例如AOL和BellSouth为包括在他们的whitelist节目现在要求合法的SPF纪录。 发令者ID纪录将由微软很快需要为未改变的MSN/Hotmail交付。

主要争论点为SPF纪录是如何写，并且的所有SMTP服务器必须定义适当创造为领域是合法和正确的一个SPF纪录，作为送电子邮件为领域。 一般， DNS句法为SPF纪录看似跟随：

example.com。 在TXT “v=spf1 mx -全部”

了解是相当坚硬的。 幸运地有帮助Web站点管理员和领域管理员容易地设定合法的SPF DNS词条的工具。 OpenSPF offers Record Setup Wizard and Microsoft has Sender ID Framework SPF Record Wizard. Although both a wizard, it may still pretty hard to comprehend especially for people exposed to SPF for the first time or novice. Here are some brief explanation of what each questions in the wizards are meant.

First, you must enter the domain name (e.g. example.com) that you want to set up the SPF record. The wizard will then try to retrieve if there is any existing SPF record. If existing record is found, the wizard allows you to modify it, or you can continue to set up the SPF by answering several questions.

For this guide, we will follow Microsoft Sender ID Framework SPF Record Wizard, and cross reference to OpenSPF’s wizard, and OpenSPF’s wizard options can be easily identified by using the symbol A, MX, PTR and etc which are clearly marked.

If the domain does not send any email, check Domain Not Used for Sending E-Mail. All other fields are instantly disabled and grayed out, as it’s no longer useful (and not valid) to define other mechanism. To achieve this options in OpenSPF wizard, mark all radio button as “No”, except the last one (~all) as “Yes”.

If the domain mail server is also the one defined in MX record, check Domain’s inbound servers may send mail in Inbound Mail Servers Send Outbound Mail section. In the same section, the detected MX server host name is displayed. If you have multiple mail servers defined in MX records, and want to specifically allow only some of them to relay mail for the domain, then uncheck the previous option, and tick all the valid outbound e-mail server for this domain. The above two options is represented by mx (green) and mx: (light green) in OpenSPF. Beside, if the domain route emails through the MX server of another domain, such as the ISP, specify the domain names in the box provided too (also as mx: in OpenSPF).

For Outbound Mail Server Addresses, if all the domain web servers (as configured in DNS A record) is also the mail server, then tick the All addresses listed in A records may send mail option. The IP addresses of the detected A record is displayed. Again, if you just want to specify few IP addresses as authorized mail server, select them. You can also enter any additional IP addresses (or ranges of addresses) you wish to add to your SPF record (one address or address range per line), and any additional domain names whose A records refer to valid outbound e-mail servers for the domain. This represent a (green), ip4: and a: (light green) on the OpenSPF wizard.

You can also specify that if a mail server IP address is resolved to your domain name after reverse DNS lookup, it can send the email by ticking All PTR records resolve to outbound email servers. Enter any domain names whose PTR records resolve to valid outbound e-mail servers in the text box provided. In OpenSPF, only PTR is provided, and not PTR: which allows you to enter more domain names. And it suggests that this option is expensive, unreliable and not recommended.

If you have mail sent on behalf of the domain is at times actually delivered to its recipients by the computers of another domain, then fill in the text box in Outsourced Domains section the additional domain names whose SPF records refer to valid outbound e-mail servers. This translate to include: in OpenSPF.

The final section has this question “Does example.com send e-mail from any IP addresses that are not identified in the above sections?” or “Do the above lines describe all the hosts that send mail from surfnova.com?”. This question will translate to one of the following qualifiers for ALL mechanism, which describe how the mail server not matched with SPF record is handled:

• + for a PASS result, this can be omitted.
• - for FAIL, the mail should be rejected.
• ? for a NEUTRAL result interpreted like NONE (no policy).
• ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.

OpenSPF wizard allows only selection of Yes (~) or No (-).

In any case, the Scope section should select Both setting to support all email identities validation, including Purported Responsible Address (PRA) derived from RFC 2822 message headers and MAIL FROM (or reverse-path) address derived from the RFC 2821 protocol’s MAIL command.

Continue next the wizard will generate the SPF record. You will notice that all SPF record start with v=spf1. “v=” defines the version of SPF used, and is mandatory to identify it’s the SPF record. Currently only the only version supported is spf1.

Once get the SPF record, copy and paste the text to the DNS entry as a TXT record. Depending on your DNS system, you may have to exclude the quotation mark (”) when entering the text in DNS system, although the wizard will put the entire text within the quotes.

For those who interested, you can read the definition of A, IP4, MX, PTR and other mechanisms here:

ALL: Matches always, used for a default result like -all for all IPs not matched by prior mechanisms.
A: If the domain name has an A (or AAAA for IPv6 ) record corresponding to the sender’s address, it will match. (That is, the mail comes directly from the domain name.)
IP4: Use IPv4 addresses for verification, match if the sender is in a given IPv4 range.
IP6: use IPv6 addresses for verification, match if the sender is in a given IPv6 range.
MX: If the domain name has an MX record resolving to the sender’s address, it will match. (That is, the mail comes from one of the domain’s mail servers)
PTR: If the Forward Confirmed reverse DNS domain of the sending IP ending in the domain name.
EXISTS: If the given domain resolves, match (no matter the address it resolves to). Rarely used, along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE: If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

Actually all of the above mechanisms can mix and match with 4 qualifiers mentioned earlier. But due to the limit of wizard, not all options are available. And for complicated use, there are modifiers such as REDIRECT. And normally, when one condition is matched, the email will get a PASS. So if your mail system is simple, simply define the MX or IP address will work as mentioned.

For example, mydigitallife.info has the following SPF record, “v=spf1 ip4:75.127.69.98 mx a:host.mydigitallife.info mx:mydigitallife.info ~all”. A lot of duplication, but at least the email will send correctly.

To check if your SPF record is correct, there are various http://www.kitterman.com/spf/validate.html“>SPF checker, tester or validator available, including My Digital Life’s SPF Validation - Sender Profile Framework Testing and Checking Tool.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

Related Articles

• How to Check, Test and Validate SPF Record in DNS is Correct and Valid
• SPF Validation - Sender Profile Framework Testing and Checking Tool
• Lowest Number MX Record Points to Local Host Rejected RCPT Error
• Domain Does Not Have Any NS Records Error at DNSStuff.com or DNSReport.com
• Email Bounces Back with “unrouteable mail domain” Error
• Free DNS (Name Server) Hosting Services
• Tools
• How to Flush and Reset DNS Cache
• Google Domain Names Registration and Search for Free Apps for Your Domain
• How to Activate and Use FeedBurner MyBrand for Free

This entry was posted on Wednesday, August 8th, 2007 at 1:36 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.