search

mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.71k stars 113 forks source link

Inconsistency in SPF Record Suggestions #46

Closed x8x closed 1 year ago

x8x commented 1 year ago

Inconsistency in SPF Record Suggestions

Overview:

Upon executing the command:

mox quickstart postmaster@mail.domain.com

I was presented with two distinct SPF record suggestions:

1.

; For the machine, only needs to be created for the first domain added.
mail.domain.com.                    IN TXT "v=spf1 a -all"

2.

; Specify the MX host is allowed to send for our domain and for itself (for DSNs).
; ~all means softfail for anything else, which is done instead of -all to prevent older
; mail servers from rejecting the message because they never get to looking for a dkim/dmarc pass.
mail.domain.com.                    IN TXT "v=spf1 mx ~all"

Concern:

Adhering to the SPF specification, a domain should only have a single SPF record. Multiple SPF records can introduce unpredictable email behaviors.

Personal Resolution:

While I might be overlooking a nuance, it appeared to me that the second suggestion encapsulates all required permissions. To optimize for efficiency and reduce DNS queries for the receiving server, I opted for the ipv4 mechanism:

mail.domain.com.                    IN TXT "v=spf1 ip4:123.123.123.123 ~all"

Acknowledgment:

Thank you! I'm truly impressed by the exceptional quality of this project and the meticulous attention to detail!

mjl- commented 1 year ago

Hi @x8x, thanks for reporting, the duplicate SPF records indeed aren't a good thing to have for a domain.

With the quickstart, I am expecting users call it with you@example.com, for a server on somehost.example.com. In that case, the first SPF record would be for somehost.example.com (the machine), and the second SPF record would be for example.com (domain of the address passed to the quickstart). So I'm wondering if you intend to configure email addresses directly under example.com as well as under mail.example.com. If so, the second SPF record, but under example.com, would still be a good idea.

By the way, does your machine have an IPv6 address? If it does, mox can use it for outgoing email, and it should also be in the SPF record.

To prevent/help with this situation, I think the mox quickstart should at least check if the domain of the quickstart address is the same as the hostname of the machine. And if so, warn/ask if this is intended, and give different SPF records or ask the user to evaluate the records more closely.

mjl- commented 1 year ago

With the previous commit, the SPF record for the machine is skipped if the hostname is the same as the domain name. So I think that will solve the problem for future users. Thanks again for the report!

x8x commented 1 year ago

I did want to configure emails under a subdomain only like user@mail.example.com , glad you added a solution for that specific case! Machine is IPv4 only.

Thank you!