0

I have a mail server, let's say mail.example.com The PTR records connect mail.example.com with my server's ips (ipv4,v6). The HELO/EHLO response is mail.example.com

Now I want to send letters like [email protected]. Let's say I set MX mail.example.com @ TXT v=spf1 mx ~all mail TXT v=spf1 a ~all

It's said I should have SPF's for subdomains to protect them from spoofing: www TXT v=spf1 -all

Let's say I don't want letters lile [email protected] to be sent. But I can't have second record like: mail TXT v=spf1 -all And it would prevent HELO/EHLO validation.

Also I have CNAME's like autoconfig/autodiscover for mail. So they aren't protected too.

Is there way to allow HELO/EHLO validation but disallow sending emails from those subdomains?

8
  • Why would you allow your mail server to send out emails from example.com, but not from mail.example.com as domain portion of the sender address (from an SPF perspective)? You can put in place other restrictions at the mail server to disallow mails from other domains.
    – Reinto
    Commented Jun 16, 2023 at 7:19
  • @Reinto I have put restrictions to other subdomains like spf v=spf1 -all (for *, www, ipv6, www6 etc.). But I can't do it for mail, autoconfig and autodiscover, because mail should validate HELO, and others are CNAME for it Commented Jun 16, 2023 at 11:22
  • I understand the reasoning for wildcard and subdomain restrictive SPF records, where you know the domain is not being used for email. However, I don't understand why you don't want something like v=spf1 a -all for your server hostname. This will allow only your mail server to be able to send on behalf of your subdomain. Even if it is not supposed to.
    – Reinto
    Commented Jun 16, 2023 at 15:25
  • In regards to the CNAME records: If you control the target domain for the CNAME, you can host a TXT record there for SPF purposes.
    – Reinto
    Commented Jun 16, 2023 at 15:29
  • @Reinto I use mailcow installation. It's supposed in default installation mails from example.com as I described. They needs spf mx or ip4/ip6 for example for from record validation. The mailserver with web ui simple on mail subdomain (I don't use imap, smtp etc subdomains for simplicity). So mail.example.com needs spf a or ip4/ip6 or something for HELO validation. Yes I control all the domains. It requires autoconfig/autodiscover to be CNAME for mail.example.com. And it obviously has spf a ~all for it. Commented Jun 16, 2023 at 23:42

1 Answer 1

0

If we understand you correctly, this will help you: Set the SPF record for your main domain:

mail.example.com TXT "v=spf1 mx -all"

And create one more SPF record for subdomain:

www.example.com TXT "v=spf1 redirect=mail.example.com"

For any CNAMEs, create SPF records that also redirect to the main domain's SPF record:

autoconfig.example.com TXT "v=spf1 redirect=mail.example.com"
autodiscover.example.com TXT "v=spf1 redirect=mail.example.com"

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .