[tech] SPF puzzlement
Can anybody help unconfuse me about SPF? Here are my basic problems:
I have a domain, so I want to have an SPF record (at least, if I want to be able to reach my classmates at hotmail, I do. Apparently.)
Main outgoing server:
I primarily send email from my hosting company. Since the same company has the SMTP outgoing server and hosts my account on a server, and I think they're the same server, I can just put an "a" there and that works, right? And adding an "mx" would be redundant?
However, because my hosting company might someday decide that the machine which hosts my domain might not handle its own outgoing SMTP, and set up some other machine with an identity of SomeSMTPHost.theirdomain.com or SomeSMTPHost.theirotherdomain.net, I should authorize theirdomain.com and theirotherdomain.net, too?
If so, I'm unclear how to do that, since all obvious answers seem obviously wrong: I don't want to use an "a" because I can't specify a host, since its only hypothetical at this point, but an "mx" won't do the job unless these hypothetical servers are also set up with mx records (i.e. are also incoming, which doesn't seem like a reasonable assumption.) I can "include" them, but this page at openspf.org on common config errors says:Let's say you want to include your web hosting company's outgoing mail servers in your SPF record. Let's also say Network Solutions hosts your web site and e-mail. You may be tempted to use something like include:networksolutions.com in your SPF record. [...] The other problem is more subtle: include:networksolutions.com would include mail servers authorized to send mail from the domain networksolutions.com. This may or may not be the same list of mail servers Network Solutions uses to send mail out using customer domains! Sometimes an ISP will create a special SPF record that customers can include with their record, such as _spf.example.com. If you want to use an ISP's mail server(s) you should ask them if they maintain an SPF record for their customers to include, or else you will need to change your record every time your ISP adds, removes, or changes a mail server's name and/or address.
GNNNNNN!!! OK, I can ask my hosting company what to use. And if they haven't set up an handy includeable host record? I'm just screwed? There is no other way to authorize *.somedomain.com?
I also send mail as from my domain from, er, a wide variety of other locations on the net. For instance, I have an ISP, which we can call ISP.com, because that's its name. (As a side note, trying to google to see if ISP.com has published SPF compatibility/configuration information for its customers? Some large number of assholes have decided to use "ISP.com" as their "example.com" in their SPF documentation.)
The question I have boils down to, "How the hell should I know what ISP.com's outgoing customer email servers are? They have an SPF record, so I could include it, but see above. Furthermore, in using an include, I make my record vulnerable to their potential screwups. Isn't there some less stupid way to authorize their servers? And while were at it, if I do that or if I include them, haven't I just granted every other customer at ISP.com permission to send SPF-approved spam as from my domain?"
Is it just me, or is this all incredibly stupid?
Then, what about my other de facto ISPs: my employer and my school. Oh, yeah, and my SO's ISP(s) and, if I can ever figure out how, my cell phone company. None of these, AFAIK, have SPF records, so I can't include them; is there any other way I can do that? Again, with the *.domain.tld rather than having to know what the mailservers are named this week.
I have a domain, so I want to have an SPF record (at least, if I want to be able to reach my classmates at hotmail, I do. Apparently.)
Main outgoing server:
I primarily send email from my hosting company. Since the same company has the SMTP outgoing server and hosts my account on a server, and I think they're the same server, I can just put an "a" there and that works, right? And adding an "mx" would be redundant?
However, because my hosting company might someday decide that the machine which hosts my domain might not handle its own outgoing SMTP, and set up some other machine with an identity of SomeSMTPHost.theirdomain.com or SomeSMTPHost.theirotherdomain.net, I should authorize theirdomain.com and theirotherdomain.net, too?
If so, I'm unclear how to do that, since all obvious answers seem obviously wrong: I don't want to use an "a" because I can't specify a host, since its only hypothetical at this point, but an "mx" won't do the job unless these hypothetical servers are also set up with mx records (i.e. are also incoming, which doesn't seem like a reasonable assumption.) I can "include" them, but this page at openspf.org on common config errors says:Let's say you want to include your web hosting company's outgoing mail servers in your SPF record. Let's also say Network Solutions hosts your web site and e-mail. You may be tempted to use something like include:networksolutions.com in your SPF record. [...] The other problem is more subtle: include:networksolutions.com would include mail servers authorized to send mail from the domain networksolutions.com. This may or may not be the same list of mail servers Network Solutions uses to send mail out using customer domains! Sometimes an ISP will create a special SPF record that customers can include with their record, such as _spf.example.com. If you want to use an ISP's mail server(s) you should ask them if they maintain an SPF record for their customers to include, or else you will need to change your record every time your ISP adds, removes, or changes a mail server's name and/or address.
GNNNNNN!!! OK, I can ask my hosting company what to use. And if they haven't set up an handy includeable host record? I'm just screwed? There is no other way to authorize *.somedomain.com?
I also send mail as from my domain from, er, a wide variety of other locations on the net. For instance, I have an ISP, which we can call ISP.com, because that's its name. (As a side note, trying to google to see if ISP.com has published SPF compatibility/configuration information for its customers? Some large number of assholes have decided to use "ISP.com" as their "example.com" in their SPF documentation.)
The question I have boils down to, "How the hell should I know what ISP.com's outgoing customer email servers are? They have an SPF record, so I could include it, but see above. Furthermore, in using an include, I make my record vulnerable to their potential screwups. Isn't there some less stupid way to authorize their servers? And while were at it, if I do that or if I include them, haven't I just granted every other customer at ISP.com permission to send SPF-approved spam as from my domain?"
Is it just me, or is this all incredibly stupid?
Then, what about my other de facto ISPs: my employer and my school. Oh, yeah, and my SO's ISP(s) and, if I can ever figure out how, my cell phone company. None of these, AFAIK, have SPF records, so I can't include them; is there any other way I can do that? Again, with the *.domain.tld rather than having to know what the mailservers are named this week.