Greetings to all.
I continue my cycle "Ideas for Habr." I remind you that I administer this site at a low level (server, OS, daemons and interaction of all this) and I’m quite interested in the opinions of my colleagues who have practical experience using what is indicated in the post topic. So far everything has been going on quite sluggishly, but I have already gathered some useful information.
This time the question revolves around the postal subsystem. We have almost all mail MX-records wrapped on gmail.com. This is quite convenient and suits almost everyone, if, of course, to abstract away from questions about the "big brother." But there are servers where, in turn, our websites revolve, many of which send different notifications to users. Recently, all letters from some of our servers go to users not directly, but through relay, in the language of admins "smarthost": this is convenient, since you do not need to fine-tune the regular sendmail, you just need to insert the line and that's it. And it is necessary to configure correctly only the relay.
So what do we have in the end? Actually, all legitimate mail from the domain habrahabr.ru is sent to our users only from Google and from our relay. Those. There is a good opportunity to register in the zone SPF-record with the relevant data and with the option & quot; -all & quot ;. This technology has a lot of pros and a few drawbacks: one of the drawbacks is associated with possible problems when sending letters. Of course, the correct MTA should change the headers, etc., when forwarding, but not everyone has everything set up as it should.
In connection with the above, do you think it is worthwhile to prescribe a hard & quot; -all & quot; or confine only to an uncertain & quot; ~ all & quot ;?
P.S. By the way, DKIM is already working, the relay successfully signs outgoing mail. If your email clients will write about an invalid signature, let me know.
consult with colleagues from google)
host -t txt google.com
google.com descriptive text "v = spf1 include: _netblocks.google.com ip4: 18.104.22.168/31 ip4: 22.214.171.124/31 ~ all"
I personally usually do -all if I know exactly where the letters will go
for example, if I know that these will only be servers with certain IPs
Already 4 years normal flight.
myzone.ru text = "v=spf1 include:_spf.myzone.ru -all" _spf.myzone.ru text = "v=spf1 a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"
I write in my other zones:
somezone.ru text = "v=spf1 redirect=_spf.myzone.ru"
For Sender ID, it will probably look like this, correct if not right.
myzone.ru text = "v=spf2.0/mfrom include:_spf.myzone.ru -all" _spf.myzone.ru text = "v=spf2.0/mfrom a:mx1.myzone.ru a:mx2.myzone.ru include:_spf.yandex.ru include:_spf.mail.ru include:_spf.google.com -all"