Robert Sunsin
2011-04-19 15:03:17 UTC
Guys,
the domain we are working on we'll call domain1.com
The original SPF record of domain1.com was this.
v=spf1 mx ptr ~all
now we added this, in order to expand the allowed ip's that domain1.com can act as if its sending from.
v=spf1 mx ptr include:domain2.com ~all
at domain2.com there is a hard fail or -all at the end of the spf record, so let's just say that's this...
v=spf1 7.8.9.0/24 -all
Now, before this change occurred domain1.com allowed an mx to send mail that is not part of the mx's specified in the dns settings
for domain1.com, and also the domain of the machine does not end in domain1.com, meaning it's not mail.domain1.com. That would be covered in the ptr portion of the spf record.
The ip address of the machine and the dns name well call this
mx3.domain3.com
6.7.8.9
This was the mx that was allowed to send, prior to the dns update of the spf record.
Now, I know that probably the reason that mx3.domain3.com was able to send mail out of domain1.com in the first place because of the soft fail.
Does that mean that with the adding of the include of domain2.com to domain1.com, that made outgoing mail from mx3.domain3.com fail because of the hard fail at the end of domain2.com?
I thought that with the include directive the + or - or ~ at the end of the included domain, is not taken into account.
Thanks in advanced.
rs
p.s.
Basically, what I am asking is this: Can the hardfail(-all) directive of an included domain, cause a previously soft failing email to hard fail?
the domain we are working on we'll call domain1.com
The original SPF record of domain1.com was this.
v=spf1 mx ptr ~all
now we added this, in order to expand the allowed ip's that domain1.com can act as if its sending from.
v=spf1 mx ptr include:domain2.com ~all
at domain2.com there is a hard fail or -all at the end of the spf record, so let's just say that's this...
v=spf1 7.8.9.0/24 -all
Now, before this change occurred domain1.com allowed an mx to send mail that is not part of the mx's specified in the dns settings
for domain1.com, and also the domain of the machine does not end in domain1.com, meaning it's not mail.domain1.com. That would be covered in the ptr portion of the spf record.
The ip address of the machine and the dns name well call this
mx3.domain3.com
6.7.8.9
This was the mx that was allowed to send, prior to the dns update of the spf record.
Now, I know that probably the reason that mx3.domain3.com was able to send mail out of domain1.com in the first place because of the soft fail.
Does that mean that with the adding of the include of domain2.com to domain1.com, that made outgoing mail from mx3.domain3.com fail because of the hard fail at the end of domain2.com?
I thought that with the include directive the + or - or ~ at the end of the included domain, is not taken into account.
Thanks in advanced.
rs
p.s.
Basically, what I am asking is this: Can the hardfail(-all) directive of an included domain, cause a previously soft failing email to hard fail?