Print Page | Close Window

SPF/DNS Question

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5906
Printed Date: 13 December 2017 at 7:38pm


Topic: SPF/DNS Question
Posted By: answerman
Subject: SPF/DNS Question
Date Posted: 07 December 2006 at 2:14pm
Not necessarily a Spam Filter question (more of a DNS question), but I assume that this has come up for some of you...

Just installed the eval version of Spam Filter, which gives us SPF filtering (something we did not have in place before).  I had a message from a client fail SPF, and in looking at the logs figured out that the reason is:

She is using her ISP's SMTP server to send mail (due to port 25 blocking for that particular ISP).  Fairly common workaround.  However, the SPF record in DNS for her domain doesn't match as a result, so the message failed Spam Filter's SPF filter.

My solution was to add her ISP's mailserver as an a: argument in the TXT record in DNS, in addition to the ip4: record, like this (names and IP addresses changed to protect the innocent):

(old TXT)
v=spf1 ip4:123.123.123.0/24 -all

(new TXT)
v=spf1 a:smtp.mail.isp.com ip4:123.123.123.0/24 -all

Is this the standard way to solve this?  Or, anyone have a better way?  I have about 10 clients that I expect to have this issue.

Note: I would love to use port 587 as an alternate so that they could just use our SMTP server, but I don't really want to pay Imail's exorbitant price to upgrade just to get the 587 functionality.



Replies:
Posted By: LogSat
Date Posted: 07 December 2006 at 2:25pm
Yes, adding the "a" section to the SPF record shold work just fine.

As a side-note, SpamFilter supports SSL over SMTP, so you could have your customers connect to SPamFilter via SSL on port 465. In version 3, we also support SMTP authentication via Active Directory, LDAP, and Unix-style password files. Your users could then use SpamFilter as their "outgoing SMTP server" if they can authenticate. If authentication is not an option, you could add their IPs to an IP whitelist so they can relay their emails thru SpamFilter.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window