Correct DNS TXT SPF for Dreamhost + Gmail


#1

I’ve been playing around with SPF TXT records trying to get it working properly.

I want to send email from my domain (TLS smtp or webmail or phpmail etc) and from Gmail.

the basic one didn’t work, softfail
v=spf1 a mx include:gmail.com ~all

What would be the correct SPF record and will it ever need to be updated?


#2

okay I now have this instead, I believe it works well.

v=spf1 ptr:dreamhost.com -all

the dash means hard-fail, which is the highest protection your emails could have against someone pretending to be you. If you send email through dreamhost SMTP (port 465, enable TLS, put your email address in the username and use mail.yourdomain.com as the outgoing smtp server), then this is for you!!!

I would go so far as to say that ALL accounts should be set like this by default. I still send email through my ISP that looks like it came from my domain - just as long as you don’t try to forge your sender email e.g. keep your ISP address (or any bogus email @yourisp.com) in the FROM field and only put your domain emails in the REPLY-TO field. No problems.

Or, if you want less mail servers to trust your emails, and you want people all around the world and yourself getting spam that pretends to be from you - don’t do it :stuck_out_tongue:


#3

“I still send email through my ISP that looks like it came from my domain”

You can add ptr:ispdomain.com and then there’s no need to maintain your ISPs address in the From.

Using ptr:xxxx is less efficient for the recipient than if DH supported SPF, however. (See http://new.openspf.org/Mechanism/ptr.)


#4

should they also fix the various DNS errors?

DNS info for dreamhost.com
ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are:

66.201.54.66

WARNING: One or more of your DNS servers does not accept TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems. The problem servers are:

66.33.206.206: Timeout.
66.201.54.66: Timeout.
66.33.216.216: Timeout.

WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.
mx2.looney.mail.dreamhost.net claims to be host gollum.dreamhost.com [but that host is at 66.33.209.16 (may be cached), not 66.33.208.144].
mx1.looney.mail.dreamhost.net claims to be host legolas.dreamhost.com [but that host is at 66.33.212.10 (may be cached), not 66.33.208.143].

Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).


#5

I would go so far as to say that ALL accounts should be set like this by default.

Ugh. please no. SPF is a point of contention at the small ISP/hosting company I work for. By policy, we do strict SPF checking, and it was enabled for customers by default before I started and it’s been nothing but trouble. I can’t count the number of calls I’ve fielded from users sending mail via their ISP’s mail server and having their mail to us or to other addresses at their domain bounce with SPF errors. Of course they blame it on us (not entirely inaccurately) because the vast majority of other networks don’t do strict checking.

The very fact that most networks don’t do strict checking makes it fairly useless anyway. It certainly won’t prevent other forging your address. This, along with the problems inherent in SPF, make a pretty solid argument for not using it.


If you want useful replies, ask smart questions.


#6

I think the best spf record for Dreamhost is probably:

v=spf1 include:spf.dreamhosters.com ~all

It isn’t “official” (but mentioned in the wiki), the Dreamhost spf record is at least published by some user using Dreamhost (includes all Dreamhost ip addresses, http://www.dnsstuff.com/tools/lookup.ch?name=spf.dreamhosters.com&type=TXT ).

So for newbies, the above line means that all email sent from a Dreamhost server is “OK”, all emails sent from a non-Dreamhost server will be “closely scrutinized” (e.g. a soft-fail). Much nicer than a hard fail ("-all") where non-Dreamhost emails are just plain rejected (bad if you forward emails).

If you send email from Gmail and Dreamhost, do the following:

v=spf1 include:spf.dreamhosters.com include:gmail.com ~all