DreamHost SPF solution


#1

I don’t understand why SPF records aren’t published yet, especially when DreamHost netblocks haven’t changed or been updated for years.

This is all that’s required:

domain.com      	TXT	v=spf1 include:_spf-netblocks.mail.domain.com ~all
_spf-netblocks.mail	TXT	v=spf1 include:_spf-netblocks-a.mail.domain.com include:_spf-netblocks-b.mail .dh.domain.com include:_spf-netblocks-c.mail.domain.com ~all
_spf-netblocks-a.mail	TXT	v=spf1 ip4:66.33.192.0/19 ip4:64.90.32.0/19 ip4:173.236.128.0/17 ip4:205.196.208 .0/20 ip4:64.111.96.0/19 ip4:208.97.128.0/18 ip4:208.113.128.0/17 ip4:67.205.0. 0 /18 ip4:75.119.192.0/19 ip4:69.163.128.0/17 ~all
_spf-netblocks-b.mail	TXT	v=spf1 ip6:2607:F298::/32 ~all
_spf-netblocks-c.mail	TXT	v=spf1 ~all

I have a script querying ARIN twice a day to check for any changes and then update the DNS records but that’s not efficient nor logical for me to maintain.

Even if your entire netblocks aren’t used, it’s still more secure than no SPF records. It also allows us to use DMARC.


#2

[quote="GMail headers"]
Delivered-To: me@gmail.com
Received: by 10.76.175.38 with SMTP id bx6csp778838oac
X-Received: by 10.66.124.226 with SMTP id ml2mr8261767pab.142.1410501161998
Return-path: <me@example.com>
Received: from homiemail-a91.g.dreamhost.com (sub5.mail.dreamhost.com.
 [208.113.200.129]) by mx.google.com with ESMTP id
 f2si5990590pdk.241.2014.09.12.00.57.40 for <me@gmail.com>
Received-SPF: pass (google.com: domain of me@example.com designates 208.113.200.129 as permitted sender) client-ip=208.113.200.129;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of me@example.com designates 208.113.200.129 as permitted sender)
[/quote]

#3

sXi: Don’t do that. The SPF records for dreamhost.com only cover IP addresses that DreamHost will use internally for sending out our own mail (i.e, from @dreamhost.com addresses). It does not include all IP addresses that may be used for sending mail from hosted sites — using it on your domains is likely to cause some mail you send to be rejected.

I’ve created a TXT record for “netblocks.dreamhost.com” which specifies all network blocks we currently operate:

netblocks.dreamhost.com. 14400	IN	TXT	"v=spf1 ip4:66.33.192.0/19 ip4:205.196.208.0/20 ip4:64.111.96.0/19 ip4:208.97.128.0/18 ip4:208.113.128.0/17 ip4:67.205.0.0/18 ip4:75.119.192.0/19 ip4:69.163.128.0/17 ip4:173.236.128.0/17 ip4:64.90.32.0/19 ip6:2607:F298::/32"

While this is perhaps broader than appropriate for some sites — it authorizes any DreamHost IP address to send mail on behalf of your domain, regardless of whether that address is involved with your site (or should be sending mail) at all — it is at least not too narrow. So there’s that.


#4

The domain that sent the mail isn’t hosted on a DH box. It does, however, send mail using sub5.

If DH believes that whitelisting every DH box on my domain is a perfectly acceptable solution then DH should have no qualms adding them to their own records too.


#5

Hi,

I’m working on a WordPress site hosted by DH. DNS is hosted by DNS Made Easy and email is hosted by Gmail. WordPress sends email directly (not using a plugin) from wordpress@mydomain.com. I want to update the SPF so that everyone knows it’s okay for DreamHost servers, as well as Gmail, to send email from @mydomain.com.

I was going to just add include:netblocks.dreamhost.com per the Wiki article, but after reading this thread, I’m confused: is Andrew saying he added netblocks.dreamhost.com to DreamHost’s public DNS? I can’t find it. Or do I need to define the TXT record for netblocks.dreamhost.com in my domain’s DNS? Is it up to me to maintain an up-to-date list of DreamHost’s mail servers? In my one test, I see that mail was sent from via iad1-shared-relay1.dreamhost.com. [208.113.157.50], which is not listed in Andrew’s post. Where is the current list?

Thanks,

Mark


#6

Yes, you would include dreamhosts SPF as an include operator in a TXT record in your own domain, for example:

example.com TXT “v=spf1 include:netblocks.dreamhost.com -all”

or, the specific DH mail server you relay through and your vps or shared server:

example.com TXT “v=spf1 a:sub5.mail.dreamhost.com a:www.example.com -all”


#7

Thank you for your reply.

As I mentioned, netblocks.dreamhost.com is not defined in any public DNS. So this setting (with the strict “-all” directive) will effectively say, only accept mail if it comes from netblocks.dreamhost.com, which doesn’t exist, so do not accept any mail at all.

I don’t think you want to use the a: mechanism, which tests all the A records for the domain. Most examples seem to use the include: mechanism.

In a lengthy discussion with Dreamhost Abuse support, I learned that mail for my account (and presumably others on my server) is split among several servers:

[quote]1) CGI Mail is sent out via ‘iad1-shared-relay1.dreamhost.com’ with an IP of '208.113.157.50’
2) SMTP mail is sent out via ‘sub4.mail.dreamhost.com’ load balancer with an IP of ‘69.163.253.135’[/quote]

So the correct SPF for the shared relay with Office 365 would be:

example.com TXT “v=spf1 include:spf.protection.outlook.com include:iad1-shared-relay1.dreamhost.com -all”

In my experience, iad1-shared-relay1.dreamhost.com is always on at least five blacklists per www.mxtoolbox.com. A zealous mail admin might reject the mail due to a blacklist even if the SPF is correct. So it’s better if possible to connect to an external mail server to send email. In my case, I’m doing that via the WordPress WP-Mail-SMTP plugin. It’s not ideal, because it means each time someone posts a comment on the blog, it takes 10-30 seconds because it is sending an external email. But mail is getting through.


#8

Oh, but it is:

[code]sh% dig netblocks.dreamhost.com txt @ns1.dreamhost.com

; <<>> DiG 9.8.3-P1 <<>> netblocks.dreamhost.com txt @ns1.dreamhost.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45283
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;netblocks.dreamhost.com. IN TXT

;; ANSWER SECTION:
netblocks.dreamhost.com. 14400 IN TXT “v=spf1 ip4:66.33.192.0/19 ip4:205.196.208.0/20 ip4:64.111.96.0/19 ip4:208.97.128.0/18 ip4:208.113.128.0/17 ip4:67.205.0.0/18 ip4:75.119.192.0/19 ip4:69.163.128.0/17 ip4:173.236.128.0/17 ip4:64.90.32.0/19 ip6:2607:F298::/32”

;; Query time: 25 msec
;; SERVER: 66.33.206.206#53(66.33.206.206)
;; WHEN: Fri Feb 6 11:07:16 2015
;; MSG SIZE rcvd: 276
[/code]


#9

be cool to have it as the SPF dns record instead of TXT.


#10

All SPF records are entered into DNS as TXT records, there is no such thing as DNS type SPF.


#11

Using this method seems correct. However, using this spf validation tool: http://www.kitterman.com/spf/validate.html

I get the error: “Results - PermError SPF Permanent Error: Unknown mechanism found: .dh.bsapack251.net”

I did have it come back once as “valid”

What have I done wrong?