Hi everyone,

Once again I revert to this forum for some clarification concerning MX and TXT records in BIND. I'll try to clarify my doubts as best I can. To do that i'll explain my current set-up.

Currently I am running a small network with 1 public IP address. I have one single computer that acts as my webserver and mailserver, this server hosts various websites as also serves mail for each
domain:

"website1.com"
"website2.com"
"website3.com"

I also have my main website, which acts as the domain for the whole network.

"mydomain.net"

This is the domain I have used to configure postfix, $mydomain = mydomain.net, For "mydomain.net" I have set-up an MX record that points to host "mail" and domain "mydomain.net". For the host to be reachable I added an A record "mail". I also added two TXT records, one that points to host "mail" with the value "v=spf1 a mx ~all" and the other that simply points to the domain "mydomain.net" with value
"v=spf1 a ~all". So when I send an email using "mail.mydomain.net"
from an address belonging to "mydomain.net" such as "me@mydomain.net", the Received-SPF passes its tests.

Q: My first question is: Is the above configuration correct? Should I use an A or CNAME record for the host "mail"? Are both TXT records necessary? Or is my approach completely wrong? My goal is that the Received-SPF always passes.

Now one of my biggest doubts. As I stated above I host various other websites, now say I want to give "website1.com" the ability to use "mail.website1.com" as the mail server configuration for their mail clients (simply a matter of simplification). By repeating the steps I state above (adding MX record, TXT records, all specific for website1.com domain) I manage to get a pass on the received-SPF.

Q: My question here is simply if this is the correct approach? Or should I simply point the MX record to mail.mydomain.net?

Now my final doubt. Suppose I want to also send and receive mail for the domain "website2.com", however, this time I do not need to provide a "mail.website2.com", therefore, I want to use "mail.mydomain.net".

Q: How should I go about in setting this up so that Received-SPF allways passes? I have tried altering the TXT records to "v=spf1 a mx include:website2.com ~all" and "v=spf1 a include:website2.com ~all", but SPF always states "Received-SPF: neutral"

The reason I am asking is because sometimes email originating from webserver2.com gets tagged as spam, and IMHO the reason is due to SPF, also I have noticed that email that does not pass the SPF test, usually takes a little longer to be delivered.

Q: I would also like to clarify another point: when should I use A record as opposed to CNAME records. Say for example I have webmail.mydomain.net & stats.mydomain.net, should I use a CNAME or A record? And why? Once again everything resides on the same server as www.mydomain.net.

Well I guess that's it, I apologize for the long text but I think it was necessary to clarify my doubts. I hope someone can gather up the patience to read all this :P

Regards,
Istvan Cebrian

You should only need an SPF record for mydomain.net. This authorizes sending hosts for mail that is allegedly from someone@mydomain.net. Setting up one for mail.mydomain.net would authorize the sending hosts for someone@mail.mydomain.net.

You should use an A record unless you have a compelling reason to use a CNAME. When you use a CNAME record, it may force a second lookup in order to resolve the hostname.

The MX record should be for the FQDN to which mail is going to be delivered, and point to a hostname that resolves to the mail server's IP address. Thus, the MX record for website1.com *could* point to either mail.website1.com or mail.mydomain.net. Typically, in a shared environment you would include an A record for mail.website1.com that points to the correct IP, and an MX record for website1.com that points to mail.website1.com.

SPF records aren't my strong point, but it seems to me that "Received-SPF: neutral" would indicate that the receiving MTA cannot determine whether the originating server is authorized by the SPF record. I'd have to see the domain's entire zone file to pinpoint the problem, but it would appear that there is something amiss with the MX and A records for website2.com.

This might be due to SPF records, although none of the MTAs with which I have worked use SPF records as a criterion for tagging spam. It is more likely something else. Make sure that your server has a valid HELO (its base hostname is best), that the hostname resolves in DNS, and that there is a PTR record that points the IP address to the hostname. Finally, make sure that the address in the From: header is a valid mailbox, as some MTAs will do a callback to ensure that the email address isn't forged; if no host will take delivery of a message for the purported sender, it may well be tagged as spam or even bounced. Sending mail from a script as "nobody@webserver.hostname.com" (or even more egregious, "nobody@localhost") would be a good example of that.

Again, use A records to avoid the potential extra lookup unless you have a compelling reason to use a CNAME. CNAME records are typically used to simplify administration in a zone that is dynamic to some extent, i.e., the IP addresses change, or might change, frequently enough that adjusting *all* the records would be onerous. Thus, if you have domain.com and you know that ftp.domain.com will always point to that same IP address, you might choose to use a CNAME for ftp.domain.com and point it to domain.com. Should the IP address for domain.com change, you only need to update the A record for domain.com and the record for ftp.domain.com will be good already.

Hi zaichik,

Thank you very much for reply, it has definitely been invaluable. I seem to now have a grasp on DNS zone files.

Concerning my questions on the SPF Records being tagged as neutral when an email belonging to website2.com was being sent through mydomain.net, I realized that by adding the TXT record "v=spf1 include:mail.mydomain.net" to website2.com would fix the problem. Currently no mail is being tagged as spam.

Also since I am using a static IP address and according to your suggestion (due to extra lookups) I have changed webmail, mail, etc, CNAME records to A records.

Once again thanks for your help!

Regards,
Istvan Cebrian

I set the filtering devices to 'block' email in which the senders dns domain if the ip range is not included in the txt records.

The year is 2011 and it is time SPF is put in place, it would cut down on enormous amounts of spam/spoofed emails and all kinds of unwanted/waste of time emails.

I work at an ISP and push the burden back to the hosting company to fix their DNS, if you have SPF enabled in Bind then put your IP range in that can relay email.

This protects you from exploits and keeps bozo's from sending email from your 'domain' from other IP ranges.

It is a win-win and the reverse dns matching for the email servers as well.

This is a HUGE problem, I cannot for the life of me understand why some banks do NOT use SPF records, they are set to 'soft-fail' so spammers/criminals send out impostor emails using their domain...

It is a mess, I do not think IPv6 is going to solve the problem of spam/spoofed emails since there are millions of bot machines and exploited email servers that are open-relays and not setup correctly.

Remember a ~ is a softfail and a - is a hardfail...

Just my thoughts...