Although a: might be convenient and allow some potential future laziness, I hope you choose to go with ip4: as it saves receivers from extra dns queries.
Ask yourself how often you will be changing your sending IP addresses. Saving a few minutes labor down the road vs. unknown huge number of wasted queries: it's your scale to balance. My 2c. ~JasonG > -----Original Message----- > From: Sean Martin [mailto:seanmarti...@gmail.com] > Sent: Monday, August 16, 2010 15:48 > To: MS-Exchange Admin Issues > Subject: Re: Any SPF Wizzes Out There? > > Thanks for the additional clarification. I understood the concept of > SPFs, just had hard time wrapping my head around the requirements. > > So my spf should be as simple as: > > "v=spf1 a:host.domain.com ~all" > > - Sean > > On Mon, Aug 16, 2010 at 11:40 AM, Ben Scott <mailvor...@gmail.com> wrote: > > > On Mon, Aug 16, 2010 at 3:21 PM, Sean Martin > <seanmarti...@gmail.com> wrote: > > The SPF records only need to specify the interface establishing > the SMTP > > session correct? > > > SPF is most commonly used to say, "Mail from my domain can only > originate from these IP addresses". So what matters is how other > systems will see *your* systems. > > Whether "the interface establishing the SMTP session" is right > will > depend on your environment and what you mean by "interface". For > example, if you mean the network interface in your Exchange > server, > and you've got a proxy or NAT device between your Exchange server > and > the public net, then the source IP address other systems see will > be > the proxy/NAT device, not your Exchange server. > > If by "interface" you mean the interface in your proxy/NAT > device, > then you're correct. Or if you're not using any of those, you're > > correct. > > > I don't need to be concerned with any internal hops an e-mail > takes before being delivered? > > > You don't have to worry about internal mail hops before your > externally-facing MX, or additional "Received:" headers, or > internal > IP route hops before a NAT/proxy. > > > > I have two external interfaces e-mail can traverse, so my SPF > record should > > look like this.....? > > "v=spf1 ip4:xxx.xxx.xxx.xxx, ip4:xxx.xxx.xxx.xxx > a:host.domain.com <http://host.domain.com/> ~all" > > > If you're specifying acceptable senders by IP addresses, you > generally don't need to also specify them by name. The "a" > directive > will result in a DNS lookup for the given name; any resulting A > records will then be considered acceptable senders. On the one > hand, > this is redundant to the "ip4" directives and may slow things > down. > On the other hand, if you change your mail configuration but > forget to > update your SPF records, things may keep working. On the third > hand, > if you can't remember to update your SPF records you have bigger > problems. > > I would tend to favor using just an "a" directive, referencing > your > outbound MXes. If DNS is broken, chances are mail isn't going to > flow > anyway. YMMV. > > -- Ben > > >
