Sender Policy Framework

Postmortem of a first-time visitor

Newbie Website WorkFlow (Where I went, what I hit and why)

I thought that I'd try to contribute to the SPF project by writing about my first-time experiences *trying* to publish a valid SPF record. I found the process very frustrating. Some site reorganization would help.

The relevant help thread can be found here.

I first hit the openSPF site after reading a FAQ at my hosting provider (SPF as a solution to keep spammers from hijacking your domain name). I found Introduction quickly and confirmed that an SPF record was what I needed.

Because I have a hosted domain, I do not currently control the DNS and my HOST created the SPF record and published it.

I next hit Tools (DNSreport link) to verify that the SPF record had been published. For some reason (perhaps to test out all the tools), I ran some of Scott K's tests against my host-provided SPF record and saw *what looked like* errors.

I then went to the "Deploy" section, in an effort to see if another SPF record was needed. I tried using the wizard but it seemed to conflict with my published (host-provided/erroneous) SPF record. I also headed straight to SPF Record Syntax, to see if I could figure out what was wrong about the host-provided SPF record.

Realizing that SOMETHING was wrong, but after looking at SPF Record Syntax I was already lost in the details ... I signed up for the SPF-Help mailing list and posted there.

I now have a valid SPF record and even learned some stuff. :D Thanks.

Recommendations

For a first-timer, I think that reorganization of the website area "Deploying SPF" would help a LOT.

(1) At some point well into the help-discussion, someone provided me with a link to the FAQ pages (specifically, Common mistakes). I found that document VERY helpful. I'd recommend splitting that document into two. "FAQ - Common Mistakes" and "Creating an SPF Record". Keep the former as an ongoing list of actual mistakes, examples and corrected versions (case histories). Make the latter a step-by-step tutorial, and put it on the Home Page, under "Deploying SPF" and BEFORE the Wizard.

(2) I question the usefulness of the wizard. (a) I couldn't find a way to divorce it from the (incorrectly deployed, host-provided) SPF record; (b) I didn't understand why it wanted to put (tilde)all rather than (dash)all (isn't even an option?); (c) IF you put IP Addresses into it, it doesn't automatically put them FIRST in the SPF record. Ultimately, I found it confusing and had I relied on it, would not have generated the best SPF record for my situation.

(3) Scott K's excellent tools should be moved under the "Checking SPF" section, replacing "Implementations" (which is currently repeated in the section below, anyway). In fact, maybe ALL the tools should be moved there?

(4) I'd recommend reorganizing and expanding FAQS "The Basics" section. Something along the lines:

"What is SPF"

"What does it do?"

"How does it work?" (Step-by-step description of hand-shaking, DNS look-ups, etc. "Day in the life of an email, kind of thing")

"How do I publish an SPF record" (distinction between controlling DNS or hosted, recommending separate DNS providers, need to turn ON checking, or maybe can't, if you're on a hosted site or using an ISP). Maybe even a couple of pre-written emails that people could send to their ISP or Host Provider - "I found out about SPF - basic intro + links - and would like to verify that SPF checking is enabled. If it's not, can you please join the increasing number of hosts, programs, etc. that are supporting this technology?"

"Making your first SPF record" (same link as on first page)

"Common Mistakes" (moved up)

"Testing, checking and verifying"

In any case, this is all off-the-cuff, but thought I'd try to contribute in some meaningful way.

Hope it helps.

-stk

EDIT:

In the Introduction, under "An Example Policy", it says not to use the example as a guideline, but use SPF Record Syntax or Specifications instead.

Suggestion (5): Rather than point newbies into the cross-eyed, nitty-gritty world of specifications and syntax, point them instead to a step-by-step tutorial: "Creating your SPF record" (see suggestion #1, above).

(6) Someone suggested the Mice & Men DIG tool, which I found very informative (b/c I don't think I'd seen my DNS records before). Add a link to it in the "Tools" section.