#1  
Old 15th May 2007, 14:10
beryl beryl is offline
Junior Member
 
Join Date: May 2007
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
Default No SPF record.

Hi there,

No matter how i change the SPF record in ISP config, it wont show up in DNS report or other SPF tests.
Ive run the domain thru DNS report and it finds Nameservers, Reverse, and also, SOA, MX servers all is OK. But not SPF records, it says it cant find any.

I can however send to Hotmail and Google without problems.

But it would be nice if the SPF records where working as they should.

This is what i have in the SPF:

Hostname : mail
Are emails sent
from A Record?: Yes

Are emails sent
from MX Record?:Yes

Are emails sent
from all servers of
this domain?: Yes

Are emails sent
from other A Records?: mail.domain.com

Are emails sent
from other MX Records?: mail.domain.com

Are emails sent
from other IP addresses?: my server IP number

Inherit SPF Record
from this zone?: my ISP SMTP server.

contain all hosts
allowed to send emails
for this domain?: Yes

Do anyone know what is wrong?
Ive also noticed that i have both BIND and BIND9 installed.
Can that cause any problems?
Reply With Quote
Sponsored Links
  #2  
Old 15th May 2007, 14:29
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,034
Thanks: 265
Thanked 151 Times in 131 Posts
Default

When you do a DNS report on your domain, do the "NS records at parent servers" reurned show your own DNS server info?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 15th May 2007, 14:43
beryl beryl is offline
Junior Member
 
Join Date: May 2007
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes, everything else is OK and it shows that it goes thru my ISP config nameservers.

If you want me to post the whole report, i can do so.

This is it, ive changed the domain name to mydomain.com and the IP.
(dont want any unwanted visitors while im putting it up)

Category Status Test Name Information
INFO NS records at parent servers Your NS records at the parent servers are:

ns1.mydomain.com. [81.80.157.151] [TTL=172800] [DE]
ns2.mydomain. [81.80.157.151] [TTL=172800] [DE]
[These were obtained from l.gtld-servers.net]
PASS Glue at parent nameservers OK.
PASS DNS servers have A records OK.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

ns1.mydomain.com. [81.80.157.151] [TTL=86400]
ns2.mydomain.com. [81.80.157.151] [TTL=86400]
PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
FAIL Number of nameservers ERROR: You have 2 nameservers, but both are on the same IP! This is not a valid setup. You are required to have at least 2 nameservers, per RFC 1035 section 2.2.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.
PASS No CNAMEs for domain OK. There are no CNAMEs for mydomain.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
WARN Nameservers on separate class C's WARNING: All of your nameservers (listed at the parent nameservers) are in the same Class C (technically, /24) address space, which means that they are probably at the same physical location. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
FAIL Single Point of Failure ERROR: Although you have at least 2 NS records, they both point to the same server, resulting in a single point of failure. You are required to have at least 2 nameservers per RFC 1035 section 2.2.
INFO Nameservers versions Your nameservers have the following versions:

81.80.157.151: "8.4.7-REL-NOESW"
81.80.157.151: "8.4.7-REL-NOESW"
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=86400] is:

Primary nameserver: ns1.mydomain.com.
Hostmaster E-mail address: admin.mydomain.com.
Serial #: 2007051304
Refresh: 28800
Retry: 7200
Expire: 604800
Default TTL: 86400
PASS NS agreement on SOA serial # OK.
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: ns1.mydomain.com.. That server is listed at the parent servers, which is correct.

PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: admin@mydomain.com. (techie note: we have changed the initial '.' to an '@' for display purposes).
PASS SOA Serial Number OK. Your SOA serial number is: 2007051304. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 13 May 2007 (and was revision #4). This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 28800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 7200 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:

10 mail.mydomain.com. [TTL=86400] IP=81.80.157.151 [TTL=86400] [DE]
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries.
Mail PASS Connect to mail servers OK: I was able to connect to all of your mailservers.
PASS Mail server host name in greeting OK: All of your mailservers have their host name in the greeting:

mail.mydomain.com:
220 reverse.mydomain.com ESMTP Postfix (Debian/GNU)
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
PASS Acceptance of postmaster address OK: All of your mailservers accept mail to postmaster@mydomain.com (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
PASS Acceptance of abuse address OK: All of your mailservers accept mail to abuse@mydomain.com.
PASS Acceptance of domain literals OK: All of your mailservers accept mail in the domain literal format (user@[81.80.157.151]).
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

mail.mydomain.com OK: 554 5.7.1 <Not.abuse.see.www.DNSreport.com.from.IP.81.170.23 7.117@DNSreport.com>: Relay access denied
WARN SPF record Your domain does not have an SPF record.
WWW
INFO WWW Record Your www.mydomain.com A record is:

www.mydomain.com. A 81.80.157.151 [TTL=86400] [DE]
PASS All WWW IPs public OK.
PASS CNAME Lookup OK.
INFO Domain A Lookup Your mydomain.com A record is:

mydomain.com. A 81.80.157.151 [TTL=86400]

Last edited by beryl; 15th May 2007 at 15:18.
Reply With Quote
  #4  
Old 16th May 2007, 16:11
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

What's the output of
Code:
dig txt mydomain.com
? What's in mydomain.com's zone file?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 16th May 2007, 16:18
beryl beryl is offline
Junior Member
 
Join Date: May 2007
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
Default

dig txt mydomain.com

; <<>> DiG 9.3.4 <<>> txt mydomain.comno pri.mydomain.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.com. IN TXT

;; AUTHORITY SECTION:
mydomain.com. 10800 IN SOA ns1.mydomain.com. admin.mydomain.com. 2007051304 28800 7200 604800 86400


Zone file:
mail.mydomain.com. TXT "v=spf1 ip4:81.80.157.151 a mx ptr a:mail.mydomain.com mx:mail.mydomain.com include:mail2.bahnhof.se ~all"
Reply With Quote
  #6  
Old 17th May 2007, 15:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by beryl
Zone file:
mail.mydomain.com. TXT "v=spf1 ip4:81.80.157.151 a mx ptr a:mail.mydomain.com mx:mail.mydomain.com include:mail2.bahnhof.se ~all"
Change it to
Code:
mydomain.com.       TXT  "v=spf1 ip4:81.80.157.151 a mx ptr a:mail.mydomain.com mx:mail.mydomain.com include:mail2.bahnhof.se ~all"
(without the mail at the beginning). Restart BIND afterwards.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 17th May 2007, 19:52
beryl beryl is offline
Junior Member
 
Join Date: May 2007
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Hmm, so when i remove the Hostname, it works.
This really should be in the manual!

Thank you very very much for the help!

Last edited by beryl; 17th May 2007 at 20:03.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SPF Record misterm Installation/Configuration 4 6th February 2008 15:02
SPF Record Query zimele General 19 20th December 2006 13:37
SPF Record is not being created! vbrookie Installation/Configuration 1 28th September 2006 21:25
Problems with SPF configuration Joffar General 3 31st May 2006 14:05
How can I check whether SPF Record is running lexcomputer Installation/Configuration 1 12th October 2005 10:03


All times are GMT +2. The time now is 18:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.