How to make SPF record strict. IT is neutral now

Virtualmin
1

I have the following settings in my default server template:

Add SPF DNS record?: Yes, with server’s IP address
Additional SPF IPs and hostnames: empty
Additional SPF included domains: empty
Does SPF record cover all senders?: No
Additional named.conf directives for new zones: None

And it adds Named directive like mydomain.tld. IN TXT “v=spf1 a mx a:mydomain.tld ip4:xxx.xxx.xxx.xxx ?all”.

However I often see my domain names are used for spamming. For example today morning I received bounced to me e-mail message:

Received: from 227.18.150.178.triolan.net (unknown [178.150.18.227])
by mx1.spamarrest.com (Postfix) with ESMTP id DE056E2CC20
for finan@spamarrest.com; Tue, 20 Dec 2011 13:43:59 -0600 (CST)
Received: from [104.166.129.111] ([162.185.133.128] helo=localhost.localdomain)
by web.ilnipi.net (envelope-from hwsw@mydomain.tld)
(ecelerity 3.0.22.424341 r(49957)) with ESMTP
id 42zx-93-69115; Tue, 20 Dec 2011 09:41:50 +0200
To: finan@spamarrest.com
Message-Id: 201112201944.I1634@kmbjgv.com
Date: Tue, 20 Dec 2011 09:38:13 +0200
Sender: hwsw@mydomain.tld
From: “Best-Penis” hwsw@mydomain.tld
Mime-Version: 1.0
Subject: Max-Gentleman Enlargement*Pills
Content-Type: text/plain;
charset=“us-ascii”
Content-Transfer-Encoding: quoted-printable
Received-SPF: neutral(mydomain.tld: 178.150.18.227 is neither permitted nor denied by domain of mydomain.tld)

I really need to stop this Penis Enlargment crap using my domain name, but not sure how exactly. Any ideas where and to what I need to change to make SPF stricter?

Additionally, I have a separate template for the virtual servers, which use Google Apps. For them per instructions on http://support.google.com/a/bin/answer.py?hl=en&answer=178723 I’d like to change SPF record to: “v=spf1 include:_spf.google.com ~all”. But where and how?

Thanks!

2

bump

3

Howdy,

You should be able to do that by going into System Settings -> Server Templates -> Default -> BIND DNS Domain, and set “Does SPF record cover all senders” to “Yes”.

-Eric

4

Hi Andreychek,

It was already been check from the very beginning. However spammers continue to use my domain. Digging in the net, I 've found that ‘~all’ directive is not as strict as ‘-all’. But virtualmin applies ‘?all’, which is completely out of standard. And I would like to be able to change the default SPF record. How can I do that?

If it is hardcoded into Virtualmin, I believe it should be open up for the users’ preferences as the standards might change and there lot’s of different instructions on how to compose these SPF records.

5

yngens

You need to set the “?all” to “-all”. There is a couple of ways to do this first go to Virtualmin >domain name>Server configuration>DNS options. You should now see a drop down box called “Action for other senders” set this to disallow.

Now if you check you spf record it should now be “-all”

Michael

6

Oh, and I spoke with Jamie on all this – he’s going to make it simpler in future version of Virtualmin in order to set SPF records to strict.

-Eric

7

Excellent, thank you Shirehosting and anreychek! I wonder is it possible to configure Virtualmin so that - was selected by default instead of ~?

8

Strange I answered this and my post dissappeared ??

Anyway, I said no not that I am aware of, but it would be a nice feature to have.

Michael