Hacker News new | ask | show | jobs
by wahern 2164 days ago
Not for simple setups. If the same servers are used for both ingoing and outgoing, "mx" is all you want or really need.

If you use a third-party hosting service for webmail, IMAP, etc, where they might also handle outgoing for particular clients, or for hosted outbound services (EasyDNS offers this), then you would usually "include:" their SPF records rather than copy their rules and addresses.

Theoretically, hardcoding some addresses might be useful as a performance optimization or failsafe, but I'm not sure the value is that great, and it adds to the workload and disruption risk if and when you have to move networks. But maybe the value is greater than I'm aware.
1 comments
marmot777 2163 days ago
I don’t think that an SPF record with just mx -all gives you that. You need to put IP addresses, IP address blocks, or hosts for the spf to be valid.

Maybe the author left out the host in the assumption that the reader would understand that part but essentially mx -all tells mail servers and inbox providers to soft fail all mail from the domain.

link
wahern 2163 days ago
Most of the mechanisms (a, ip4, ip6, mx, and ptr) effectively resolve to one or more IP addresses which are then matched against the sender IP address. The "mx" mechanism will query the MX records for the envelope (MAIL FROM) sender domain, query the A records for every MX record, and then try to match all those resolved IP addresses to the sender IP address. If one of the IP addresses matches, then the mechanism's action qualifier is applied, short-circuiting further resolution. As the default qualifier is "+" (pass), a match on "mx" (i.e. "+mx") means to accept the message.

If your MX hosts are the only permissible outbound hosts, and the inbound and outbound IP addresses are the same, then the "mx" mechanism is all you need. The very purpose of the "mx" mechanism and most others is to avoid having to hardcode IP addresses in your policy.

link
marmot777 2161 days ago
Yes, but as a matter of syntax, don’t you have to specify the IP address? What is the mx refereeing to in your example?

V=spf1 ip4:198.51.100.123 ~all

I think the ptr mechanism’s deprecated.

Anyway, if you’re correct that a valid and complete spf record can be published without an IP address, IP address block, or included hosts, then I’ve learned something new today.

So you are saying that v=spf1 mx -all is a valid and complete spf record?

link