Just to throw my 2-cents worth in here... but I think (e.g.: my opinion)
that Jake's SPF record recommendation is too restrictive. The A record
for your domain very likely may not be the same server as your mail
server (in other words, your main web server -- usually the A record for
your domain -- may not be your mail server too...)
My preferred SPF entry would, therefore, include an MX enrtry to add
ALL of the MX records from your domain:
v=spf1 a mx -all
As for having all those extra SPF records, there apparently needs to
be some explanation of how SPF works... to make it as simple as
possible, let's just look at the processing of an SPF check:
- I get mail from [EMAIL PROTECTED] (a FAKE e-mail address, to be sure!)
- I do a DNS TXT lookup for the domain -- effectively, a dig txt
qmt.com, or more up-to-date, dig spf qmt.com
- I look up the SPF records there (and see v=spf1 a mx -all)
- I look up the A record MX record(s) of the domain (dig a qmt.com
dig mx qmt.com)
- I compare the IP address SENDING the message against the IP addresses
discovered above
- If there is a match, you PASS SPF checking
- If there is NO match, you FAIL SPF checking I block you (the -all)
So, you really only need the SPF record for the DOMAINs you send/receive
mail with... and the extra TXT records for mail*.solowtech.com
http*.solowtech.com won't actually affect anything for the domain
solowtech.com (which is, presumably, the domain of your emails).
Thus, although you dismiss your first SPF entry as being just your web
host, the fact that IT includes both A and MX entries is why your SPF
is working!
Now, if you have other hosts that may send e-mail on behalf of your
domain, but are NOT also mail servers (like a backup server, or
alternate web server that want to send logs or alerts), then you just
add those servers to your ONE SPF record... like this:
v=spf1 a mx ip4:71.21.142.30 -all
Now, SPF checking mail servers will accept messages from the
solowtech.com domain so long as they come from:
- The A record for solowtech.com (67.212.79.197)
- Any of the MX records for solowtech.com (only 67.212.79.220 currently)
- The IP Address of 71.21.142.30 (the ip4 option)
SO... since this is the holiday season, I'll do most of the work for you
and say that:
1) you should probably have a backup mail server (you currently have
only the 1 MX record, you should have more)
2) If all of the hosts in your posting below are supposed to be valid
sources of email, and
'mail.solowtech.com resolves to 67.212.79.198
'mail2.solowtech.com resolves to 67.212.79.198 too
'mail17.solowtech.com resolves to 67.212.79.220
'mail21.solowtech.com resolves to 67.212.79.221
'http2.solowtech.com resolves to 67.212.79.198 too
THEN, your SPF record may need to look like:
v=spf1 a mx ip4:67.212.79.198 ip4:67.212.79.221 -all
HOWEVER, since 197 (a) 220(mx) are already there, you COULD get
fancy and use the prefix option and get the same using
v=spf1 a/30 mx/31 -all
which equates to your A record with a 30-bit prefix -- effectively,
67.212.79.196-199...
plus your MX record with a 31-bit prefix (67.212.79.220-221)
You MIGHT want to use the REAL netmasks that you might control... e.g.:
v=spf1 a/19 -all
which would equate to 67.212.79.192-223
Sigh SO MANY possibilities!
I hope this helps!
Dan
IT4SOHO
We make IT work for small business!
Paul Heard wrote:
Hi Jake,
Thanks for your extra effort. You are the best.
I test my DK using [EMAIL PROTECTED]
Its crazy how many different test emails will give
Back different results.
This address works for me, and yahoo is accepting My DK.
Your point about spf is interesting.
My spf records check out in several tests,
But you are correct in your observation that
The A record and MX box will not resolve to the
Same IP.
I think my spf records for this domain may be wrong.
'solowtech.com:v=spf1 a mx -all:3600
'mail.solowtech.com:v=spf1 a -all:3600
'mail2.solowtech.com:v=spf1 a -all:3600
'mail17.solowtech.com:v=spf1 a -all:3600
'mail21.solowtech.com:v=spf1 a -all:3600
'http2.solowtech.com:v=spf1 a -all:3600
The first entry is just for a web host.
Rarely sends mail.
The other entries are all running qmail of some form.
My DNS servers serve the same data file.
I hear what you are saying about the 12 hours,
24-48 hours, but I wish I could say that's been
My experience.
I have been working on this for over a month.
Forms, phone calls, DK, SPF...
The cron queue flush was out of desperation.
Having said that, I've been running it now
For a day, the yahoo mail is going through...
Fire and gasoline...
Thanks Jake.
-Original Message-
From: Jake Vickers [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2008 7:19 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] yahoo deferrals fix
Paul Heard wrote:
Hi Jake,
Not sure why qmail is not succeeding in the 5 minute retries.
I have my
