All,

Domain SPF Records...

As this would be my first commit to the ispconfig3 community I have a question or okay maybe a few.

First is it okay to add such an enhancement? Basically all I have done is add another Button to the DNS records to allow you to place a SPF record in to your DNS records.

Second by doing this I need to ALTER dns_rr table to add SPF to the enum for type. Would I simply add this alter statement to the pre_update.sql file?

Third seeing as Bind9 now supports the SPF type would it be a good idea to add it to the Default template so that users can benefit from its usage or let them add it on their own? Basically I would suggest this sort of Default Template.

[ZONE]
origin={DOMAIN}.
ns={NS1}.
mbox={EMAIL}.
refresh=28800
retry=7200
expire=604800
minimum=86400
ttl=86400

[DNS_RECORDS]
A|{DOMAIN}.|{IP}|0|86400
A|www|{IP}|0|86400
A|mail|{IP}|0|86400
NS|{DOMAIN}.|{NS1}.|0|86400
NS|{DOMAIN}.|{NS2}.|0|86400
MX|{DOMAIN}.|mail.{DOMAIN}.|10|86400
TXT|{DOMAIN}.|"v=spf1 mx -all"|0|86400
SPF|{DOMAIN}.|"v=spf1 mx -all"|0|86400

This allows (only MX servers for your domain) the ispconfig3 server which is going to be the MX server is allowed to send email for the domain. Of course the users could modify as they see fit but this gives them the best security practice they could have at the start.

Even though ispconfig is not actually using SPF currently that is going to be one of my next projects to see if we can't get it setup in ispconfig3. Sites like craigslist and a few others wont even let you send email to them without SPF records for your domain.

First is it okay to add such an enhancement?

Yes, of course :)

Second by doing this I need to ALTER dns_rr table to add SPF to the enum for type.

Have you tested this with mydns and powerdns? I fear that mydns will not acceopt this as valid record as spf records are of the type "TXT".

Would I simply add this alter statement to the pre_update.sql file?

Before 3.0.3, it is enough to alter the ispconfig3.sql file and change the enum type there. The pre_update.sql has not to be changed.

After 3.0.3, there will be a incremental database update mechanism that I'am working on at the moment. So after 3.0.3, there is a separate dtabase version number and ou have to create a alter table statement in a separate file for every database version and do the change in the ispconfig3.sql file. I will add a readme file when I upload the changes to svn.

Third seeing as Bind9 now supports the SPF type would it be a good idea to add it to the Default template so that users can benefit from its usage or let them add it on their own? Basically I would suggest this sort of Default Template.

Should be added to the template too then.

forget SPF, it's an old system.
And its not functional. The most providers don't use spf...

admins

SPF is still used by hotmail and gmail.

They remove it on their server ...

They remove it on their server ...

Didn't know that, do you have any source that confirms that?

I'm a google employee

The main problem that I see with SPF "in the wild" is that more spammer domains seem to have spf records then "normally" used domains. So it might be more successful to ban senders if the have a spf record to avoid spam :) So I would understand if large providers would start to remove spf.

Yeah and i'm prince of Sweden :p , if you can't show me source of your information than i'm having hard time believing you.

Spammer register domains for a day or a few days to send spam over them and then delete the domains to register new ones. These domains have normally valid spf records.

Here a article from today from C't which is germans largest professional IT newspaper. The article is in german but you might be able to translate it with e.g. google translate if you like to read it:

http://www.heise.de/newsticker/meldung/Fliegender-Wechsel-bei-Spam-Domains-1039695.html

It is not about spf specifuically, but what it shows is that SPF can not work to prevent spamming as they own the domain and so they can create their own spf record.

Thats true. For all: do not add spf entries. Your mails were not blocked because you haven't got an spf entry. Check your PTR Records and more.

Because this technic does not prevent and it's really easy to avoiding this function, google and big companys remove their entrys.

Till:

I know that SPF is not that good but i reacted on the statement that google have dropped need of SPF when i know that without proper SPF record they mark mails as spam on both gmail and google apps pro customers.

Than for the link, if we can set it up than they can too :) Damn i hate those spammers