Correct SPF record for email server

danjde · 09-17-2016, 03:20 PM

Hi friends,

I'm building a Postfix/Dovecot email server on Debian jessie on my VPS,
and I would like to add its correct DNS record.

Considering that the FQDN is: "server.mydomain.org"

and the other DNS entry:

MX: "server.mydomain.org"
CNAME: "(mail).mydomain.org"
CNAME: "(smtp).mydomain.org"
CNAME: "(pop).mydomain.org"

I would like to understand if the SPF value, given to me by my DNS maintainer (that differ from the VPS maintainer) is correct:

name: server
value: v=spf1 include:_spf.th.seeweb.it

but instead if I check from SPF Wizard it suggest me this SPF record instead (the IP address is random):

v=spf1 mx a:server.mydomain.org ip4:90.123.123.90 ~all

At this point I have two different information and do not know which one to use.... :-)

which of the two should I use?

many thanks!

af7567 · 09-17-2016, 07:57 PM

Without knowing what your real email domain or MX addresses are no one can guess what the proper SPF record should be. It also depends if your VPS sends mail directly or through a relay. Since the mail is sent from the VPS, I would guess the SPF record given by the VPS provider would be most accurate.

danjde · 09-18-2016, 09:48 AM

Quote:

af7567: Without knowing what your real email domain or MX addresses are no one can guess what the proper SPF record should be.

..but if they were the ones mentioned in this post?

Quote:

af7567: It also depends if your VPS sends mail directly or through a relay. Since the mail is sent from the VPS, I would guess the SPF record given by the VPS provider would be most accurate.

Yes, my VPS sends mail directly.
But as you can see above, the SPF record is not given by VPS provider but by the domain provider (that is different) and he doesn't know the VPS ip or its FQDN...

Many many thanks for your help!

af7567 · 09-18-2016, 01:06 PM

Quote:

Originally Posted by danjde

..but if they were the ones mentioned in this post?

Yes, my VPS sends mail directly.
But as you can see above, the SPF record is not given by VPS provider but by the domain provider (that is different) and he doesn't know the VPS ip or its FQDN...

Many many thanks for your help!

Ah sorry, I thought you meant your VPS provider had given you a different SPF record. When you say the IP address 90.123.123.90 is random do you mean that you changed it for this post or that the SPF wizard created it?

Assuming that 90.123.123.90 is the public IP of your VPS and server.mydomain.org is the hostname (and also the MX record) then you just need "v=spf1 a:server.mydomain.org ~all"

include:_spf.th.seeweb.it is only needed if you are using "seeweb.it" mail server as your relay, but since you send mail directly from the VPS you only need the hostname or IP address of your VPS. Since "server.mydomain.org" resolves to the VPS IP address you don't need to include ip4: in the SPF record. Also, since the MX is also server.mydomain.org you don't need to include "mx" either in the SPF record.

Note. the ~all is a soft fail which means if mail comes from a different server to your VPS then it will still be accepted but marked as a fail. After you have tested your SPF record for a while and are sure there are no problems you could change this ~all to -all which will reject mail that is not from your VPS.

danjde · 09-19-2016, 01:49 AM

WOW! Very clear explanation!
You have clarified all doubts I had left about SPF record!

Very very thanks for your really really useful help! ;-)

ciao!