Domain SPF Records.

Discussion in 'Developers' Forum' started by Tekati, Jul 10, 2010.

  1. Tekati

    Tekati ISPConfig Developer ISPConfig Developer


    Domain SPF Records...

    As this would be my first commit to the ispconfig3 community I have a question or okay maybe a few.

    First is it okay to add such an enhancement? Basically all I have done is add another Button to the DNS records to allow you to place a SPF record in to your DNS records.

    Second by doing this I need to ALTER dns_rr table to add SPF to the enum for type. Would I simply add this alter statement to the pre_update.sql file?

    Third seeing as Bind9 now supports the SPF type would it be a good idea to add it to the Default template so that users can benefit from its usage or let them add it on their own? Basically I would suggest this sort of Default Template.

    TXT|{DOMAIN}.|"v=spf1 mx -all"|0|86400
    SPF|{DOMAIN}.|"v=spf1 mx -all"|0|86400
    This allows (only MX servers for your domain) the ispconfig3 server which is going to be the MX server is allowed to send email for the domain. Of course the users could modify as they see fit but this gives them the best security practice they could have at the start.

    Even though ispconfig is not actually using SPF currently that is going to be one of my next projects to see if we can't get it setup in ispconfig3. Sites like craigslist and a few others wont even let you send email to them without SPF records for your domain.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, of course :)

    Have you tested this with mydns and powerdns? I fear that mydns will not acceopt this as valid record as spf records are of the type "TXT".

    Before 3.0.3, it is enough to alter the ispconfig3.sql file and change the enum type there. The pre_update.sql has not to be changed.

    After 3.0.3, there will be a incremental database update mechanism that I'am working on at the moment. So after 3.0.3, there is a separate dtabase version number and ou have to create a alter table statement in a separate file for every database version and do the change in the ispconfig3.sql file. I will add a readme file when I upload the changes to svn.

    Should be added to the template too then.
  3. admins

    admins Member

    forget SPF, it's an old system.
    And its not functional. The most providers don't use spf...

  4. damir

    damir New Member

    SPF is still used by hotmail and gmail.
  5. admins

    admins Member

    They remove it on their server ...
  6. damir

    damir New Member

    Didn't know that, do you have any source that confirms that?
  7. admins

    admins Member

    I'm a google employee
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The main problem that I see with SPF "in the wild" is that more spammer domains seem to have spf records then "normally" used domains. So it might be more successful to ban senders if the have a spf record to avoid spam :) So I would understand if large providers would start to remove spf.
    Last edited: Jul 16, 2010
  9. damir

    damir New Member

    Yeah and i'm prince of Sweden :p , if you can't show me source of your information than i'm having hard time believing you.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Spammer register domains for a day or a few days to send spam over them and then delete the domains to register new ones. These domains have normally valid spf records.

    Here a article from today from C't which is germans largest professional IT newspaper. The article is in german but you might be able to translate it with e.g. google translate if you like to read it:

    It is not about spf specifuically, but what it shows is that SPF can not work to prevent spamming as they own the domain and so they can create their own spf record.
    Last edited: Jul 16, 2010
  11. admins

    admins Member

    Thats true. For all: do not add spf entries. Your mails were not blocked because you haven't got an spf entry. Check your PTR Records and more.

    Because this technic does not prevent and it's really easy to avoiding this function, google and big companys remove their entrys.
  12. damir

    damir New Member


    I know that SPF is not that good but i reacted on the statement that google have dropped need of SPF when i know that without proper SPF record they mark mails as spam on both gmail and google apps pro customers.

    Than for the link, if we can set it up than they can too :) Damn i hate those spammers

Share This Page