/munetakaJupyterHub/Computer/2024/MailServer/WildDuck-II/.ipynb_checkpoints/spf

§2024-11-02

Use dig to find SPF record

$ dig yushei.net txt

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> yushei.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yushei.net.			IN	TXT

;; ANSWER SECTION:
yushei.net.		7200	IN	TXT	"v=spf1 include:_spf.google.com mx a:yushei.net a:mail.yushei.net ip4:59.126.118.189 ip4:59.126.118.193 ip4:59.126.118.194 ip4:192.168.0.0/16 ~all"

;; Query time: 246 msec
;; SERVER: 168.95.192.1#53(168.95.192.1) (UDP)
;; WHEN: Sat Nov 02 07:52:27 CST 2024
;; MSG SIZE  rcvd: 197

SPF Record Checker

spf record for yushei.net v=spf1 include:_spf.google.com mx a:yushei.net a:mail.yushei.net ip4:59.126.118.189 ip4:59.126.118.193 ip4:59.126.118.194 ip4:192.168.0.0/16 ~all
Components Explained

v=spf1: This indicates the version of SPF being used. In this case, it’s SPF version 1.
include:_spf.google.com: This means that the SPF settings defined in the _spf.google.com record are included. This is typically used to authorize Google’s mail servers (like those used in Google Workspace) to send emails on behalf of yushei.net.
mx: This mechanism allows any mail servers listed in the MX (Mail Exchange) records for yushei.net to send emails. If you have mail servers configured for receiving emails, this authorizes them for sending as well.
a:yushei.net: This allows the A record (the main IP address) for yushei.net to send emails. If the server's IP matches the A record for this domain, it’s authorized.
a:mail.yushei.net: Similar to the previous one, this allows the A record for mail.yushei.net to send emails. If the server’s IP matches this A record, it’s also authorized.
ip4:59.126.118.189, ip4:59.126.118.193, ip4:59.126.118.194: These lines specify that the exact IP addresses 59.126.118.189, 59.126.118.193, and 59.126.118.194 are authorized to send email for the domain.
ip4:192.168.0.0/16: This line allows any IP address in the range 192.168.0.0 to 192.168.255.255 to send email for this domain. This is a private IP range, so it’s typically used for local network devices.
~~all: The tilde (~~) indicates a "soft fail." This means that if an email is sent from an unauthorized server, it will not be outright rejected but may be marked as suspicious or flagged for further inspection.This is the "all" mechanism that defines the policy for emails that don’t match any of the previous rules.

v=spf1 redirect=_spf.google.com for gmail.com

spf1: This indicates that the record is using SPF version 1.
redirect=_spf.google.com: This directive tells the SPF checking server to look up the SPF record at _spf.google.com to find out which servers are authorized to send emails on behalf of the domain. Essentially, it redirects the SPF check to that record.

Benefits of This Approach

mplification: Using redirect allows gmail.com to delegate SPF management to Google’s SPF records, which can be easier to maintain, especially for a large organization with many sending IPs.
namic Updates: Any changes made to the _spf.google.com record automatically apply to gmail.com, ensuring that any new Google mail servers are immediately authorized without needing to update the gmail.com record itself.