BIND DNS - MX, TXT and SPF records when hosting multiple domains on same machine?
Once again I revert to this forum for some clarification concerning MX and TXT records in BIND. I'll try to clarify my doubts as best I can. To do that i'll explain my current set-up.
Currently I am running a small network with 1 public IP address. I have one single computer that acts as my webserver and mailserver, this server hosts various websites as also serves mail for each
I also have my main website, which acts as the domain for the whole network.
This is the domain I have used to configure postfix, $mydomain = mydomain.net, For "mydomain.net" I have set-up an MX record that points to host "mail" and domain "mydomain.net". For the host to be reachable I added an A record "mail". I also added two TXT records, one that points to host "mail" with the value "v=spf1 a mx ~all" and the other that simply points to the domain "mydomain.net" with value
"v=spf1 a ~all". So when I send an email using "mail.mydomain.net"
from an address belonging to "mydomain.net" such as "firstname.lastname@example.org", the Received-SPF passes its tests.
Q: My first question is: Is the above configuration correct? Should I use an A or CNAME record for the host "mail"? Are both TXT records necessary? Or is my approach completely wrong? My goal is that the Received-SPF always passes.
Now one of my biggest doubts. As I stated above I host various other websites, now say I want to give "website1.com" the ability to use "mail.website1.com" as the mail server configuration for their mail clients (simply a matter of simplification). By repeating the steps I state above (adding MX record, TXT records, all specific for website1.com domain) I manage to get a pass on the received-SPF.
Q: My question here is simply if this is the correct approach? Or should I simply point the MX record to mail.mydomain.net?
Now my final doubt. Suppose I want to also send and receive mail for the domain "website2.com", however, this time I do not need to provide a "mail.website2.com", therefore, I want to use "mail.mydomain.net".
Q: How should I go about in setting this up so that Received-SPF allways passes? I have tried altering the TXT records to "v=spf1 a mx include:website2.com ~all" and "v=spf1 a include:website2.com ~all", but SPF always states "Received-SPF: neutral"
The reason I am asking is because sometimes email originating from webserver2.com gets tagged as spam, and IMHO the reason is due to SPF, also I have noticed that email that does not pass the SPF test, usually takes a little longer to be delivered.
Q: I would also like to clarify another point: when should I use A record as opposed to CNAME records. Say for example I have webmail.mydomain.net & stats.mydomain.net, should I use a CNAME or A record? And why? Once again everything resides on the same server as www.mydomain.net.
Well I guess that's it, I apologize for the long text but I think it was necessary to clarify my doubts. I hope someone can gather up the patience to read all this :P
You should use an A record unless you have a compelling reason to use a CNAME. When you use a CNAME record, it may force a second lookup in order to resolve the hostname.
Thank you very much for reply, it has definitely been invaluable. I seem to now have a grasp on DNS zone files.
Concerning my questions on the SPF Records being tagged as neutral when an email belonging to website2.com was being sent through mydomain.net, I realized that by adding the TXT record "v=spf1 include:mail.mydomain.net" to website2.com would fix the problem. Currently no mail is being tagged as spam. :)
Also since I am using a static IP address and according to your suggestion (due to extra lookups) I have changed webmail, mail, etc, CNAME records to A records.
Once again thanks for your help!
I set the filtering devices to 'block' email in which the senders dns domain if the ip range is not included in the txt records.
The year is 2011 and it is time SPF is put in place, it would cut down on enormous amounts of spam/spoofed emails and all kinds of unwanted/waste of time emails.
I work at an ISP and push the burden back to the hosting company to fix their DNS, if you have SPF enabled in Bind then put your IP range in that can relay email.
This protects you from exploits and keeps bozo's from sending email from your 'domain' from other IP ranges.
It is a win-win and the reverse dns matching for the email servers as well.
This is a HUGE problem, I cannot for the life of me understand why some banks do NOT use SPF records, they are set to 'soft-fail' so spammers/criminals send out impostor emails using their domain...
It is a mess, I do not think IPv6 is going to solve the problem of spam/spoofed emails since there are millions of bot machines and exploited email servers that are open-relays and not setup correctly.
Remember a ~ is a softfail and a - is a hardfail...
Just my thoughts...
|All times are GMT -5. The time now is 11:53 PM.|