SPF-record. Embed or not?

Asked by tstsv

Greetings to all.

I continue my cycle "Ideas for Habr." I remind you that I administer this site at a low level (server, OS, daemons and interaction of all this) and I’m quite interested in the opinions of my colleagues who have practical experience using what is indicated in the post topic. So far everything has been going on quite sluggishly, but I have already gathered some useful information.

Previous questions:
 link  link

This time the question revolves around the postal subsystem. We have almost all mail MX-records wrapped on gmail.com. This is quite convenient and suits almost everyone, if, of course, to abstract away from questions about the "big brother." But there are servers where, in turn, our websites revolve, many of which send different notifications to users. Recently, all letters from some of our servers go to users not directly, but through relay, in the language of admins "smarthost": this is convenient, since you do not need to fine-tune the regular sendmail, you just need to insert the line and that's it. And it is necessary to configure correctly only the relay.

So what do we have in the end? Actually, all legitimate mail from the domain habrahabr.ru is sent to our users only from Google and from our relay. Those. There is a good opportunity to register in the zone SPF-record with the relevant data and with the option & quot; -all & quot ;. This technology has a lot of pros and a few drawbacks: one of the drawbacks is associated with possible problems when sending letters. Of course, the correct MTA should change the headers, etc., when forwarding, but not everyone has everything set up as it should.

In connection with the above, do you think it is worthwhile to prescribe a hard & quot; -all & quot; or confine only to an uncertain & quot; ~ all & quot ;?

P.S. By the way, DKIM is already working, the relay successfully signs outgoing mail. If your email clients will write about an invalid signature, let me know.

Answers

jean franklin
& gt; I'm quite interested in the opinions of my colleagues who have practical experience using what is indicated in the topic of the post.

consult with colleagues from google)

host -t txt google.com
google.com descriptive text "v = spf1 include: _netblocks.google.com ip4: 216.73.93.70/31 ip4: 216.73.93.72/31 ~ all"

I personally usually do -all if I know exactly where the letters will go
for example, if I know that these will only be servers with certain IPs
Replies:
The question is rather that we will implement SPF, from where we will send mail, we are ready to use-all. But it is precisely the fact that interests everyone: will everything work correctly for the recipient, if he has been configured to send mail? Not all intermediate mail servers can be configured correctly and leave correct headers. - mab300
whitney la rocca
. People here are many times smaller, of course, but there are a lot of notifications, for mailings, and only with ~ all and of course ip ranges.
Already 4 years normal flight.
parand
If you have mail on gmail, then -all should not be done, there may be problems with mail delivery, Google itself does not recommend doing -all, it is also impossible without SPF because the antispam false positives even increase within the company.
christopher berry
I’m writing -all, but I allow the mailers popular in runet to "forward" my letters (if, for example, a user who receives a letter (for example, mail.ru), has configured the transfer to his own office box)
myzone.ru     text = "v=spf1 include:_spf.myzone.ru -all"
_spf.myzone.ru        text = "v=spf1 a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"


I write in my other zones:
somezone.ru     text = "v=spf1 redirect=_spf.myzone.ru"

Convenient!

For Sender ID, it will probably look like this, correct if not right.
myzone.ru     text = "v=spf2.0/mfrom include:_spf.myzone.ru -all"
_spf.myzone.ru        text = "v=spf2.0/mfrom a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"
Attachment_fu - the best plugin for Ruby on Rails to download files from the site via HTTP? :: Debian squeeze / Gnome - is the graphical interface dying? :: Displaying the answer rating in q & amp; a when viewing all of my answers? :: Grid size limits in Nvidia CUDA with 2D grid? :: iPhone 3Gs & amp; Windows 7 x64
Leave Repply for SPF-record. Embed or not?
Useful Links