如何設定和創造發令者政策結構(SPF)領域DNS TXT紀錄與巫術師

SPF (發令者政策結構)是a 標準 那在郵件信封SMTP郵件從或返回道路被創造為了停止和消滅偽造的或被欺騙的發令者電子郵件那常用在發送同樣的消息到多個新聞組消息。 SPF運作作為引伸到簡單郵件傳送規約(SMTP)，并且允許中轉MTA (郵件運輸代理)辨認和拒绝那些從未批准和未經同意的郵件服務器送的電子郵件發送同樣的消息到多個新聞組。

SPF使能領域的電子郵件交付操作工作用這樣方式： 互聯網域名的所有者使用TXT紀錄一個特別格式在領域區域DNS名服務器定義了SPF紀錄。 SPF指定哪些機器被批准傳送電子郵件為那個領域。 當電子郵件由郵件服務器接受， MTA將詢問SPF紀錄從DNS果斷器確定電子郵件是否起源於一臺合法的服務器。 如果SPF通行證結果返回，電子郵件被接受并且得到交付。 如果SPF出故障結果返回，電子郵件被拒绝并且被彈起。 多數MTA不立刻當前彈起SPF出故障電子郵件和用SOFTFAIL改為標記它，而仍然接受電子郵件，很可能被過濾作為發送同樣的消息到多個新聞組，作為當前SPF實施不是普遍的，并且有創造錯誤SPF紀錄高潛力。

雖然SPF紀錄不是a必須，但它是很好的練習設定SPF紀錄從非法地停止發送同樣的消息到多個新聞組缺點欺騙并且忘記您的領域的電子郵件。 因為SPF，像MX、A、CNAME和PTR紀錄，是DNS領域樹水平的一部分，領域所有者在創造這個紀錄的奧得河將必須有完全控制到領域DNS區域權威的服務器。 最重要，某IPSs例如AOL和BellSouth為包括在他們的whitelist節目現在要求合法的SPF紀錄。 發令者ID紀錄將由微軟很快需要為未改變的MSN/Hotmail交付。

主要爭論點為SPF紀錄是如何寫，并且的所有SMTP服務器必須定義適當創造為領域是合法和正確的一個SPF紀錄，作為送電子郵件為領域。 一般， DNS句法為SPF紀錄看似跟隨：

example.com。 在TXT 「v=spf1 mx -全部」

瞭解是相當堅硬的。 幸運地有幫助Web站點管理員和領域管理員容易地設定合法的SPF DNS詞條的工具。 OpenSPF offers Record Setup Wizard and Microsoft has Sender ID Framework SPF Record Wizard. Although both a wizard, it may still pretty hard to comprehend especially for people exposed to SPF for the first time or novice. Here are some brief explanation of what each questions in the wizards are meant.

First, you must enter the domain name (e.g. example.com) that you want to set up the SPF record. The wizard will then try to retrieve if there is any existing SPF record. If existing record is found, the wizard allows you to modify it, or you can continue to set up the SPF by answering several questions.

For this guide, we will follow Microsoft Sender ID Framework SPF Record Wizard, and cross reference to OpenSPF’s wizard, and OpenSPF’s wizard options can be easily identified by using the symbol A, MX, PTR and etc which are clearly marked.

If the domain does not send any email, check Domain Not Used for Sending E-Mail. All other fields are instantly disabled and grayed out, as it’s no longer useful (and not valid) to define other mechanism. To achieve this options in OpenSPF wizard, mark all radio button as “No”, except the last one (~all) as “Yes”.

If the domain mail server is also the one defined in MX record, check Domain’s inbound servers may send mail in Inbound Mail Servers Send Outbound Mail section. In the same section, the detected MX server host name is displayed. If you have multiple mail servers defined in MX records, and want to specifically allow only some of them to relay mail for the domain, then uncheck the previous option, and tick all the valid outbound e-mail server for this domain. The above two options is represented by mx (green) and mx: (light green) in OpenSPF. Beside, if the domain route emails through the MX server of another domain, such as the ISP, specify the domain names in the box provided too (also as mx: in OpenSPF).

For Outbound Mail Server Addresses, if all the domain web servers (as configured in DNS A record) is also the mail server, then tick the All addresses listed in A records may send mail option. The IP addresses of the detected A record is displayed. Again, if you just want to specify few IP addresses as authorized mail server, select them. You can also enter any additional IP addresses (or ranges of addresses) you wish to add to your SPF record (one address or address range per line), and any additional domain names whose A records refer to valid outbound e-mail servers for the domain. This represent a (green), ip4: and a: (light green) on the OpenSPF wizard.

You can also specify that if a mail server IP address is resolved to your domain name after reverse DNS lookup, it can send the email by ticking All PTR records resolve to outbound email servers. Enter any domain names whose PTR records resolve to valid outbound e-mail servers in the text box provided. In OpenSPF, only PTR is provided, and not PTR: which allows you to enter more domain names. And it suggests that this option is expensive, unreliable and not recommended.

If you have mail sent on behalf of the domain is at times actually delivered to its recipients by the computers of another domain, then fill in the text box in Outsourced Domains section the additional domain names whose SPF records refer to valid outbound e-mail servers. This translate to include: in OpenSPF.

The final section has this question “Does example.com send e-mail from any IP addresses that are not identified in the above sections?” or “Do the above lines describe all the hosts that send mail from surfnova.com?”. This question will translate to one of the following qualifiers for ALL mechanism, which describe how the mail server not matched with SPF record is handled:

• + for a PASS result, this can be omitted.
• - for FAIL, the mail should be rejected.
• ? for a NEUTRAL result interpreted like NONE (no policy).
• ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.

OpenSPF wizard allows only selection of Yes (~) or No (-).

In any case, the Scope section should select Both setting to support all email identities validation, including Purported Responsible Address (PRA) derived from RFC 2822 message headers and MAIL FROM (or reverse-path) address derived from the RFC 2821 protocol’s MAIL command.

Continue next the wizard will generate the SPF record. You will notice that all SPF record start with v=spf1. “v=” defines the version of SPF used, and is mandatory to identify it’s the SPF record. Currently only the only version supported is spf1.

Once get the SPF record, copy and paste the text to the DNS entry as a TXT record. Depending on your DNS system, you may have to exclude the quotation mark (”) when entering the text in DNS system, although the wizard will put the entire text within the quotes.

For those who interested, you can read the definition of A, IP4, MX, PTR and other mechanisms here:

ALL: Matches always, used for a default result like -all for all IPs not matched by prior mechanisms.
A: If the domain name has an A (or AAAA for IPv6 ) record corresponding to the sender’s address, it will match. (That is, the mail comes directly from the domain name.)
IP4: Use IPv4 addresses for verification, match if the sender is in a given IPv4 range.
IP6: use IPv6 addresses for verification, match if the sender is in a given IPv6 range.
MX: If the domain name has an MX record resolving to the sender’s address, it will match. (That is, the mail comes from one of the domain’s mail servers)
PTR: If the Forward Confirmed reverse DNS domain of the sending IP ending in the domain name.
EXISTS: If the given domain resolves, match (no matter the address it resolves to). Rarely used, along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE: If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

Actually all of the above mechanisms can mix and match with 4 qualifiers mentioned earlier. But due to the limit of wizard, not all options are available. And for complicated use, there are modifiers such as REDIRECT. And normally, when one condition is matched, the email will get a PASS. So if your mail system is simple, simply define the MX or IP address will work as mentioned.

For example, mydigitallife.info has the following SPF record, “v=spf1 ip4:75.127.69.98 mx a:host.mydigitallife.info mx:mydigitallife.info ~all”. A lot of duplication, but at least the email will send correctly.

To check if your SPF record is correct, there are various http://www.kitterman.com/spf/validate.html“>SPF checker, tester or validator available, including My Digital Life’s SPF Validation - Sender Profile Framework Testing and Checking Tool.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

Related Articles

• How to Check, Test and Validate SPF Record in DNS is Correct and Valid
• SPF Validation - Sender Profile Framework Testing and Checking Tool
• Lowest Number MX Record Points to Local Host Rejected RCPT Error
• Domain Does Not Have Any NS Records Error at DNSStuff.com or DNSReport.com
• Email Bounces Back with “unrouteable mail domain” Error
• Free DNS (Name Server) Hosting Services
• Tools
• How to Flush and Reset DNS Cache
• Google Domain Names Registration and Search for Free Apps for Your Domain
• How to Activate and Use FeedBurner MyBrand for Free

This entry was posted on Wednesday, August 8th, 2007 at 1:36 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.