Auto SPF plug-in

This plug-in synthesizes missing SPF records (TXT) for local domains.

Using this plug-in you can provide SPF records for all domain names on your server without having to setup and maintain SPF-records separately for every single domain name.

Important: This plug-in only works when there are no TXT-records (of any kind) for the requested name in a local zone.

Important: This plug-in must be listed AFTER "[LOCAL DNS ZONES]" in the plug-in / query order list. Otherwise it will have no effect.

Important: The synthesized records are provided in responses to standard DNS lookups for TXT-records only - they are NOT provided in zone transfers to secondary DNS servers. Therefore you must configure this plug-in the same way on any secondary DNS servers for your domain names.

What is SPF?

SPF is a spam and phishing fighting method which uses DNS records to define which hosts are permitted to send e-mails for a domain.

When SPF enabled e-mail servers receive an inbound e-mail (via SMTP) they will lookup the DNS SPF-record (TXT type) for the domain name of the senders e-mail address in order to verify that sending e-mail server's IP address is permitted to send e-mail for that domain name.

For details more on SPF, please see http://www.open-spf.org

How to use this:

If you need to provide unique SPF-records for certain domain names, you can still setup individual SPF-records for those names. This function only kicks in when there are no SPF-records defined for a domain name already.

Consider using the value "v=spf1 -all" (meaning "these domains never send e-mail").

This forces you to have specific SPF-records for all domain names that send e-mails.

But it very effectively prevents spamming/phishing from all other domain names on your server - including common sub-names such as www.example.com which most users forget to setup SPF records for.

A good alternative to this is "v=spf1 mx -all" (meaning "these domains only send e-mail from the mail server listed in their MX-record").

This way any domain name that has an MX-record is covered automatically.

And sub-names such as www.example.com which typically do not have MX-records are still excluded.

In addition to checking the domain name part of the sender's e-mail address, some e-mail servers also perform SPF checks on the SMTP session HELO/EHLO greeting host name.

Therefore always make sure that your e-mail server is configured to use a correct host name (like "mail.example.com") in the HELO/EHLO greeting, and that an A- and/or AAAA-record exists for this host name in DNS.

And when using this option, make sure that the SPF-record data is also valid for the HELO/EHLO host name used by your e-mail server, or define a specific SPF-record for the HELO/EHLO name in the zone where this belongs (this will override the automatic SPF record).

Note that the default data "v=spf1 mx -all" will fail such a test if no MX-record exists for your HELO/EHLO name.

For example, if your domain name is "example.com" and your mail server is named "mail.example.com" (and uses this in HELO/EHLO greetings), you would probably only have an MX-record for "example.com" - not for "mail.example.com", and therefore "v=spf1 mx -all" fails to validate "mail.example.com".

Instead you could use "v=spf1 ip4:1.2.3.4 -all" (where 1.2.3.4 is the IP address of your mail server), which would work for both types of tests.

Note: This plug-in does not provide SPF records for domain names starting with the underscore (_) character to avoid collision problems with special purpose names such as "_domainkey".

Note: In Simple DNS Plus v. 9.0 and earlier, this functionality used to be built-in - configurable in the Options dialog / DNS / Local Zones / Automatic SPF section.

How to obtain this plug-in

This plug-in is included with the Simple DNS Plus installation.

Open source

This source code for this plug-in is available at https://github.com/jhsoftware/sdnspi-autospf

Contributions are most welcome.

Related KB articles:

 Comments
Be the first to comment on this page:
(Never published. Used for replies and to show your Gravatar icon. Never used for any other purpose.)
Connect