Google Apps Domain Create SPF Records For BIND or Djbdns

by on October 19, 2010 · 3 comments· LAST UPDATED October 22, 2010

in

I work for a small business and outsourced our email hosting to Google. However, I noticed that spammers are using our From: First Last to send their spam messages. All bounced messages come to our catch only account. How do I stop this? How do I validate our domain using SPF? How do I configure a SPF for Google Apps domain using BIND 9 or djbdns?

You must create a Sender Policy Framework (SPF) recored for all your domains which are used to send emails. An SPF can identifies which mail servers are permitted to send email on behalf of your domain. This is used to prevent spammers from sending messages with forged From addresses at your domain such as foo@example.com, where foo is not a valid username. In this example, spammers use foo@example.com to send spam to vivek@nixcraft.net.in. When my mail server receives a message from foo@example.com, it will check the SPF record for example.com to find out if it is a valid message or not. If the message comes from a server other than the mail servers listed in the SPF record, than my mail server can reject it as spam or mark as spam.

Sample Setup

   nixcraft.com can send email using the ALL of the following servers:
      ///
       |                                        +----------------------+
    Mail Server (point to)                      | server1.nixcraft.com | w/ local sendmail 74.86.48.99
       |                             +----------+----------------------+
   +------------+                    |
   |   Google   |                    |          +----------------------+
   |   Apps     |                    |          | server2.nixcraft.com | w/ local sendmail 74.86.48.98
   |   Mail     +--------------------+----------+----------------------+
   |   Server   |                    |
   +------------+                    |          +----------------------+
         |                           |          | server3.nixcraft.com | w/ local sendmail 74.86.48.102
 nixcraft.com.s7b1.psmtp.com.        +----------+----------------------+
 nixcraft.com.s7b2.psmtp.com.
 nixcraft.com.s7a1.psmtp.com.
 nixcraft.com.s7a2.psmtp.com.

Consider the following examples:
$ host -t mx nixcraft.com
Sample outputs:

nixcraft.com mail is handled by 4 nixcraft.com.s7b2.psmtp.com.
nixcraft.com mail is handled by 1 nixcraft.com.s7a1.psmtp.com.
nixcraft.com mail is handled by 2 nixcraft.com.s7a2.psmtp.com.
nixcraft.com mail is handled by 3 nixcraft.com.s7b1.psmtp.com.

Above four MX servers receive mail for nixcraft.com domain. All of the above servers are managed by Google apps. However, nixcraft.com has 3 KVM based vps server to host its website. Those 3 nodes also send emails to its customers or users. You need to add them to your list too:
kvm1: 74.86.48.99
kvm2: 74.86.48.98
kvm3: 74.86.48.102

Finally, its public ip address may also send an email to its customer or users:
$ host nixcraft.com
Sample outputs:

75.126.153.214

How Do I Build a SPF Record for nixcraft.com?

You need to add the entry as follows in nixcraft.com zone file (BIND 9 syntax):

@                       3600   IN TXT   "v=spf1 a mx ip4:74.86.48.99 ip4:74.86.48.98 ip4:74.86.48.102 include:_spf.google.com ~all"

If you are using djbdns, enter:

'nixcraft.com:v=spf1 ip4\07274.86.48.99 ip4\07274.86.48.102 ip4\07274.86.48.98 a mx include\072_spf.google.com ~all:3600
'nixcraft.com.s7a1.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7a2.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7b1.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7b2.psmtp.com:v=spf1 a -all:3600
's7a1.psmtp.com:v=spf1 a -all:3600
's7a2.psmtp.com:v=spf1 a -all:3600
's7b1.psmtp.com:v=spf1 a -all:3600
's7b2.psmtp.com:v=spf1 a -all:3600

Where,

  • @ : Domain name i.e. nixcraft.com.
  • 3600 : TTL for domain recored.
  • IN TXT "v=spf1 : Start an SPF recored.
  • a : nixcraft.com's IP address is 75.126.153.214 which is allowed to send mail from nixcraft.com.
  • mx : The *.psmtp.com. servers are allowed to send mail from nixcraft.com.
  • ip4:74.86.48.99 : 74.86.48.99 is allowed to send mail from nixcraft.com.
  • ip4:74.86.48.98 : 74.86.48.98 is allowed to send mail from nixcraft.com.
  • ip4:74.86.48.102 : 74.86.48.102 is allowed to send mail from nixcraft.com.
  • include:_spf.google.com: Send mail from _spf.google.com (includes large number of Google apps server) is also allowed to send mail from nixcraft.com.
  • ~all : Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny or spam check.

Finally, reload your BIND 9 named (don't forget to increase serial number):
# /etc/init.d/named reload

How Do I Verify My SPF Records?

Type the following command:
$ dig txt nixcraft.com
OR
$ host -t txt nixcraft.com
Sample outputs:

nixcraft.com descriptive text "v=spf1 a mx ip4:74.86.48.99 ip4:74.86.48.98 ip4:74.86.48.102 include:_spf.google.com ~all"
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Justin Best December 20, 2010 at 9:32 pm

Great article guys! However, unless you’re Spock you won’t be able to easily tell if your SPF record is properly formatted using the simple verification methods suggested here.

The official SPF Project site has a great wizard at http://www.openspf.org. Just type your domain name in and click “go”. The wizard will verify what settings you’ve got in place, and help you make changes.

Reply

2 Rajeesh September 15, 2011 at 7:25 am

Hi,
I have on email server the mx is pointed to public ip address, for this also i can make the settings like this.
“v=spf1 a mx ip4:xxx.xxx.xxx.xxx include:_spf.google.com ~all”

Regards
Rajeesh.vp

Reply

3 Rajeesh September 15, 2011 at 7:26 am

Hi,
I have one email server the mx is pointed to public ip address, for this also i can make the settings like this.
“v=spf1 a mx ip4:xxx.xxx.xxx.xxx include:_spf.google.com ~all”

Regards
Rajeesh.vp

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: