Tuesday, November 9, 2010

Google Apps Domain Create SPF Records For BIND or Djbdns

SkyHi @ Tuesday, November 09, 2010
I work for a small business and outsourced our email hosting to Google. However, I noticed that spammers are using our From: First Last to send their spam messages. All bounced messages come to our catch only account. How do I stop this? How do I validate our domain using SPF? How do I configure a SPF for Google Apps domain using BIND 9 or djbdns?

You must create a Sender Policy Framework (SPF) recored for all your domains which are used to send emails. An SPF can identifies which mail servers are permitted to send email on behalf of your domain. This is used to prevent spammers from sending messages with forged From addresses at your domain such as foo@example.com, where foo is not a valid username. In this example, spammers use foo@example.com to send spam to vivek@nixcraft.net.in. When my mail server receives a message from foo@example.com, it will check the SPF record for example.com to find out if it is a valid message or not. If the message comes from a server other than the mail servers listed in the SPF record, than my mail server can reject it as spam or mark as spam.

Sample Setup

nixcraft.com can send email using the ALL of the following servers:
       |                                        +----------------------+
    Mail Server (point to)                      | server1.nixcraft.com | w/ local sendmail
       |                             +----------+----------------------+
   +------------+                    |
   |   Google   |                    |          +----------------------+
   |   Apps     |                    |          | server2.nixcraft.com | w/ local sendmail
   |   Mail     +--------------------+----------+----------------------+
   |   Server   |                    |
   +------------+                    |          +----------------------+
         |                           |          | server3.nixcraft.com | w/ local sendmail
 nixcraft.com.s7b1.psmtp.com.        +----------+----------------------+
Consider the following examples:
$ host -t mx nixcraft.com

Sample outputs:
nixcraft.com mail is handled by 4 nixcraft.com.s7b2.psmtp.com.
nixcraft.com mail is handled by 1 nixcraft.com.s7a1.psmtp.com.
nixcraft.com mail is handled by 2 nixcraft.com.s7a2.psmtp.com.
nixcraft.com mail is handled by 3 nixcraft.com.s7b1.psmtp.com.
Above four MX servers receive mail for nixcraft.com domain. All of the above servers are managed by Google apps. However, nixcraft.com has 3 KVM based vps server to host its website. Those 3 nodes also send emails to its customers or users. You need to add them to your list too:

Finally, its public ip address may also send an email to its customer or users:
$ host nixcraft.com
Sample outputs:

How Do I Build a SPF Record for nixcraft.com?

You need to add the entry as follows in nixcraft.com zone file (BIND 9 syntax):

@ 3600   IN TXT   "v=spf1 a mx ip4: ip4: ip4: include:_spf.google.com ~all"
If you are using djbdns, enter:

'nixcraft.com:v=spf1 ip4\07274.86.48.99 ip4\07274.86.48.102 ip4\07274.86.48.98 a mx include\072_spf.google.com ~all:3600
'nixcraft.com.s7a1.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7a2.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7b1.psmtp.com:v=spf1 a -all:3600
'nixcraft.com.s7b2.psmtp.com:v=spf1 a -all:3600
's7a1.psmtp.com:v=spf1 a -all:3600
's7a2.psmtp.com:v=spf1 a -all:3600
's7b1.psmtp.com:v=spf1 a -all:3600
's7b2.psmtp.com:v=spf1 a -all:3600

  • @ : Domain name i.e. nixcraft.com.
  • 3600 : TTL for domain recored.
  • IN TXT "v=spf1 : Start an SPF recored.
  • a : nixcraft.com's IP address is which is allowed to send mail from nixcraft.com.
  • mx : The *.psmtp.com. servers are allowed to send mail from nixcraft.com.
  • ip4: : is allowed to send mail from nixcraft.com.
  • ip4: : is allowed to send mail from nixcraft.com.
  • ip4: : is allowed to send mail from nixcraft.com.
  • include:_spf.google.com: Send mail from _spf.google.com (includes large number of Google apps server) is also allowed to send mail from nixcraft.com.
  • ~all : Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny or spam check.
Finally, reload your BIND 9 named (don't forget to increase serial number):
# /etc/init.d/named reload

How Do I Verify My SPF Records?

Type the following command:
$ dig txt nixcraft.com
$ host -t txt nixcraft.com

Sample outputs:

nixcraft.com descriptive text "v=spf1 a mx ip4: ip4: ip4: include:_spf.google.com ~all"