Loading ...
Sorry, an error occurred while loading the content.
 

SPF interoperability question

Expand Messages
  • Peter Rabbitson
    Hello, I am trying to figure out what should I do with SPF domain records given the current state of affairs with SPF/SenderID. I am not interested in
    Message 1 of 27 , Jul 31, 2007
      Hello,

      I am trying to figure out what should I do with SPF domain records given
      the current state of affairs with SPF/SenderID. I am not interested in
      filtering incoming mail based on SPF, I just want to adjust my DNS
      records to be as compatible with the rest of the world as possible.

      Most of my mail originates in-house, with a handfull of users sending
      mail through a static number of ISP servers. Roaming users have access
      to a VPN, so they qualify as in-house as well.

      Googling confused me even more hence this question to the list:

      What should a domain admin do to achieve maximum interoperability while
      sending _outgoing_ mails?

      A) Not publish any records at all
      B) Publish an explicit record
      C) Publish a relaxed record (should it end with ~all or ?all ?)
    • mouss
      ... If you publish SPF records, avoid publishing loose onces. There is no point saying that users can send from anywhere: This is what lack of SPF records
      Message 2 of 27 , Jul 31, 2007
        Peter Rabbitson wrote:
        > Hello,
        >
        > I am trying to figure out what should I do with SPF domain records
        > given the current state of affairs with SPF/SenderID. I am not
        > interested in filtering incoming mail based on SPF, I just want to
        > adjust my DNS records to be as compatible with the rest of the world
        > as possible.
        >
        > Most of my mail originates in-house, with a handfull of users sending
        > mail through a static number of ISP servers. Roaming users have access
        > to a VPN, so they qualify as in-house as well.
        >
        > Googling confused me even more hence this question to the list:
        >
        > What should a domain admin do to achieve maximum interoperability
        > while sending _outgoing_ mails?
        >
        > A) Not publish any records at all
        > B) Publish an explicit record
        > C) Publish a relaxed record (should it end with ~all or ?all ?)
        >
        >

        If you publish SPF records, avoid publishing "loose" onces. There is no
        point saying that users can send from anywhere: This is what lack of SPF
        records means!

        If you have no problem getting your email delivered, then there is no
        reason to add SPF records.

        here is an interesting article:
        http://www.circleid.com/posts/spf_loses_mindshare/
      • Jorey Bump
        ... I choose A. I have never published an SPF record, and it has not impaired my mail servers, destination domains, or users in any way. The absence of an SPF
        Message 3 of 27 , Jul 31, 2007
          Peter Rabbitson wrote:

          > I am trying to figure out what should I do with SPF domain records given
          > the current state of affairs with SPF/SenderID. I am not interested in
          > filtering incoming mail based on SPF, I just want to adjust my DNS
          > records to be as compatible with the rest of the world as possible.
          >
          > Most of my mail originates in-house, with a handfull of users sending
          > mail through a static number of ISP servers. Roaming users have access
          > to a VPN, so they qualify as in-house as well.
          >
          > Googling confused me even more hence this question to the list:
          >
          > What should a domain admin do to achieve maximum interoperability while
          > sending _outgoing_ mails?
          >
          > A) Not publish any records at all
          > B) Publish an explicit record
          > C) Publish a relaxed record (should it end with ~all or ?all ?)

          I choose A. I have never published an SPF record, and it has not
          impaired my mail servers, destination domains, or users in any way. The
          absence of an SPF record is unlikely to carry any penalty.
        • Udo Rader
          ... Hmm, I don t agree. These days SPF is mostly used in policy servers and mail not originating the specified hosts will get a higher spam score. So having
          Message 4 of 27 , Jul 31, 2007
            On Tue, 2007-07-31 at 10:16 -0400, Jorey Bump wrote:
            > Peter Rabbitson wrote:
            >
            > > I am trying to figure out what should I do with SPF domain records given
            > > the current state of affairs with SPF/SenderID. I am not interested in
            > > filtering incoming mail based on SPF, I just want to adjust my DNS
            > > records to be as compatible with the rest of the world as possible.
            > >
            > > Most of my mail originates in-house, with a handfull of users sending
            > > mail through a static number of ISP servers. Roaming users have access
            > > to a VPN, so they qualify as in-house as well.
            > >
            > > Googling confused me even more hence this question to the list:
            > >
            > > What should a domain admin do to achieve maximum interoperability while
            > > sending _outgoing_ mails?
            > >
            > > A) Not publish any records at all
            > > B) Publish an explicit record
            > > C) Publish a relaxed record (should it end with ~all or ?all ?)
            >
            > I choose A. I have never published an SPF record, and it has not
            > impaired my mail servers, destination domains, or users in any way. The
            > absence of an SPF record is unlikely to carry any penalty.

            Hmm, I don't agree. These days SPF is mostly used in policy servers and
            mail not originating the specified hosts will get a higher spam score.

            So having SPF records won't benefit _you_ much but will 'help' other
            sites detecting if mails allegedly originating from your domain are sent
            out via the "correct" servers. It will 'help', but certainly must not be
            the only criteria.

            We have B) in place and it did not hurt us or any of our customers
            either so far :-)

            --
            Udo Rader

            bestsolution.at EDV Systemhaus GmbH
            http://www.bestsolution.at
          • mouss
            ... I didn t see this. People blocking because of lack of SPF are responsible for misclassification of mail to their users. As a sender, I don t care. After
            Message 5 of 27 , Jul 31, 2007
              Udo Rader wrote:
              > Hmm, I don't agree. These days SPF is mostly used in policy servers and
              > mail not originating the specified hosts will get a higher spam score.
              >

              I didn't see this. People blocking because of lack of SPF are
              responsible for misclassification of mail to their users. As a sender, I
              don't care.
              After all, some people use very aggressive DNSBLs....


              Few tests involving gmail, yahoo and hotmail didn't show noticeable
              benefits from SPF records.



              > So having SPF records won't benefit _you_ much but will 'help' other
              > sites detecting if mails allegedly originating from your domain are sent
              > out via the "correct" servers. It will 'help', but certainly must not be
              > the only criteria.
              >

              That doesn't help much as long as there are zillions of domains without
              SPF records and zombie clients to post from.

              Anyway, if you reread the OP post, you'll see that he allows sending
              from multiple IPs. If the number of these IPs is manageable, then he can
              add an SPF record. IF the number is too large or if it changes too
              often, then he'd better not add one.

              > We have B) in place and it did not hurt us or any of our customers
              > either so far :-)
              >

              yes, if you add records, then go for B.
            • Udo Rader
              ... Yes, blocking based on the lack of SPF is undoubtedly a bad idea. ... Again, you are right for those zillions. But if you have good information even for
              Message 6 of 27 , Jul 31, 2007
                On Tue, 2007-07-31 at 17:25 +0200, mouss wrote:
                > Udo Rader wrote:
                > > Hmm, I don't agree. These days SPF is mostly used in policy servers and
                > > mail not originating the specified hosts will get a higher spam score.
                > >
                >
                > I didn't see this. People blocking because of lack of SPF are
                > responsible for misclassification of mail to their users. As a sender, I

                Yes, blocking based on the lack of SPF is undoubtedly a bad idea.

                > don't care.
                > After all, some people use very aggressive DNSBLs....
                >
                >
                > Few tests involving gmail, yahoo and hotmail didn't show noticeable
                > benefits from SPF records.
                >
                >
                >
                > > So having SPF records won't benefit _you_ much but will 'help' other
                > > sites detecting if mails allegedly originating from your domain are sent
                > > out via the "correct" servers. It will 'help', but certainly must not be
                > > the only criteria.
                > >
                >
                > That doesn't help much as long as there are zillions of domains without
                > SPF records and zombie clients to post from.

                Again, you are right for those zillions. But if you have good
                information even for only a few wont hurt either. I see SPF as a small
                piece of the entire anti spam puzzle (and that's why it should only be
                used in a scoring policy service).

                > Anyway, if you reread the OP post, you'll see that he allows sending
                > from multiple IPs. If the number of these IPs is manageable, then he can
                > add an SPF record. IF the number is too large or if it changes too
                > often, then he'd better not add one.

                I agree.

                --
                Udo Rader

                bestsolution.at EDV Systemhaus GmbH
                http://www.bestsolution.at
              • Jorey Bump
                ... In the absence of an SPF record, no hosts are specified, so how can a higher spam score be assigned? The only possibility is to assign weight when no SPF
                Message 7 of 27 , Jul 31, 2007
                  Udo Rader wrote:
                  > On Tue, 2007-07-31 at 10:16 -0400, Jorey Bump wrote:
                  >> I choose A. I have never published an SPF record, and it has not
                  >> impaired my mail servers, destination domains, or users in any way. The
                  >> absence of an SPF record is unlikely to carry any penalty.
                  >
                  > Hmm, I don't agree. These days SPF is mostly used in policy servers and
                  > mail not originating the specified hosts will get a higher spam score.

                  In the absence of an SPF record, no hosts are specified, so how can a
                  higher spam score be assigned? The only possibility is to assign weight
                  when no SPF record exists, and I don't see how that can be viable (such
                  a score would certainly need to be insignificant). Hence, the absence of
                  an SPF record is unlikely to carry any penalty.

                  > So having SPF records won't benefit _you_ much but will 'help' other
                  > sites detecting if mails allegedly originating from your domain are sent
                  > out via the "correct" servers. It will 'help', but certainly must not be
                  > the only criteria.

                  The OP has not stated any desire to limit the sending of his domain's
                  mail through specified relays. Without this need, it's best not to
                  configure SPF, since he's looking for "maximum interoperability", not a
                  way to restrict his users.
                • Gene Rackow
                  ... I find that SPF records are a bit of a joke. So far they have caused me more pain than usability. It could be great if your email is point-to-point. It
                  Message 8 of 27 , Jul 31, 2007
                    Udo Rader made the following keystrokes:
                    >
                    >--=-2YeWPCLsTp7cGDLPQITl
                    >Content-Type: text/plain
                    >Content-Transfer-Encoding: quoted-printable
                    >
                    >
                    >On Tue, 2007-07-31 at 10:16 -0400, Jorey Bump wrote:
                    >> Peter Rabbitson wrote:
                    >>=20
                    >> > I am trying to figure out what should I do with SPF domain records give=
                    >n=20
                    >> > the current state of affairs with SPF/SenderID. I am not interested in=20
                    >> > filtering incoming mail based on SPF, I just want to adjust my DNS=20
                    >> > records to be as compatible with the rest of the world as possible.
                    >> >=20
                    >> > Most of my mail originates in-house, with a handfull of users sending=20
                    >> > mail through a static number of ISP servers. Roaming users have access=20
                    >> > to a VPN, so they qualify as in-house as well.
                    >> >=20
                    >> > Googling confused me even more hence this question to the list:
                    >> >=20
                    >> > What should a domain admin do to achieve maximum interoperability while=
                    >=20
                    >> > sending _outgoing_ mails?
                    >> >=20
                    >> > A) Not publish any records at all
                    >> > B) Publish an explicit record
                    >> > C) Publish a relaxed record (should it end with ~all or ?all ?)
                    >>=20
                    >> I choose A. I have never published an SPF record, and it has not=20
                    >> impaired my mail servers, destination domains, or users in any way. The=20
                    >> absence of an SPF record is unlikely to carry any penalty.
                    >
                    >Hmm, I don't agree. These days SPF is mostly used in policy servers and
                    >mail not originating the specified hosts will get a higher spam score.=20
                    >
                    >So having SPF records won't benefit _you_ much but will 'help' other
                    >sites detecting if mails allegedly originating from your domain are sent
                    >out via the "correct" servers. It will 'help', but certainly must not be
                    >the only criteria.
                    >
                    >We have B) in place and it did not hurt us or any of our customers
                    >either so far :-)
                    >
                    >--=20
                    >Udo Rader

                    I find that SPF records are a bit of a joke. So far they have caused
                    me more pain than usability. It could be great if your email is
                    point-to-point. It tends to break when people use .forward files
                    or aliases to redirect their mail from one site to another.

                    Problems I've run into are:
                    A user at a site-A using option B sends mail to user@site-B.
                    At site-B user has an alias or .forward that sends redirects
                    that incoming mail to user@site-C. site-C checks the SPF
                    record and finds that the mail is NOT coming from site-A, so
                    dumps the message. Granted, the original user should be
                    sending the message direct to site-C, but that isn't always
                    practical. Site-B should add a Resent-Sender header, but in
                    most cases I have seen, they do not do this. How does Site-B
                    put it's SPF findings into the headers to say it got there clean
                    before it forwarded it on? Should it? Can those be easily forged?

                    Simple case-2. Phishers are forging mail claiming to be from
                    customer-support@Bank.A. Bank.A has SPF records to a specific
                    set of IP addresses. The phishers have forged a couple lines
                    in the header to include those addresses. They also put a
                    Sender: or Resent-Sender: line into the headers for the hacked
                    site they are using. SPF checks the header lines, not Bank.A's
                    records. SPF records check out. The message is not considered
                    the malware it's supposed to be.

                    --Gene
                  • Udo Rader
                    ... it s all about scoring and not about blocking or dumping. ... Well, forging headers is easy. But forging the IP of the host that the receiving MTA was
                    Message 9 of 27 , Jul 31, 2007
                      On Tue, 2007-07-31 at 11:09 -0500, Gene Rackow wrote:
                      > I find that SPF records are a bit of a joke. So far they have caused
                      > me more pain than usability. It could be great if your email is
                      > point-to-point. It tends to break when people use .forward files
                      > or aliases to redirect their mail from one site to another.
                      >
                      > Problems I've run into are:
                      > A user at a site-A using option B sends mail to user@site-B.
                      > At site-B user has an alias or .forward that sends redirects
                      > that incoming mail to user@site-C. site-C checks the SPF
                      > record and finds that the mail is NOT coming from site-A, so
                      > dumps the message. Granted, the original user should be
                      > sending the message direct to site-C, but that isn't always
                      > practical. Site-B should add a Resent-Sender header, but in
                      > most cases I have seen, they do not do this. How does Site-B
                      > put it's SPF findings into the headers to say it got there clean
                      > before it forwarded it on? Should it? Can those be easily forged?

                      it's all about scoring and not about blocking or dumping.

                      > Simple case-2. Phishers are forging mail claiming to be from
                      > customer-support@Bank.A. Bank.A has SPF records to a specific
                      > set of IP addresses. The phishers have forged a couple lines
                      > in the header to include those addresses. They also put a
                      > Sender: or Resent-Sender: line into the headers for the hacked
                      > site they are using. SPF checks the header lines, not Bank.A's
                      > records. SPF records check out. The message is not considered
                      > the malware it's supposed to be.

                      Well, forging headers is easy. But forging the IP of the host that the
                      receiving MTA was talking to is not so easy (if not almost impossible).

                      But yes, again, SPF is only a _small_ piece of the greater anti spam
                      thing and if you use it as "the only" criteria it certainly is nothing
                      more than a joke.

                      --
                      Udo Rader

                      bestsolution.at EDV Systemhaus GmbH
                      http://www.bestsolution.at
                    • Jorey Bump
                      ... There is a longstanding taboo against discussing the merits of SPF on this list, so let s not pursue this tangent. While the OP does not discuss any issues
                      Message 10 of 27 , Jul 31, 2007
                        Gene Rackow wrote:

                        > I find that SPF records are a bit of a joke.

                        There is a longstanding taboo against discussing the merits of SPF on
                        this list, so let's not pursue this tangent. While the OP does not
                        discuss any issues specific to Postfix, it's not unusual to see
                        questions about interoperability and best practices here, since many
                        experienced MTA administrators read this list. Since this was a
                        system health question, it seemed appropriate to answer on those points
                        (but I'm not the list maintainer, so I could be wrong). Otherwise, it's
                        best not to mention SPF here, as it tends to result in endless threads
                        and flamewars.
                      • Wietse Venema
                        ... I concur. Lets stay away from the merits of SPF. The original question was how in practice should an MTA operator deal with it. Wietse
                        Message 11 of 27 , Jul 31, 2007
                          Jorey Bump:
                          > Gene Rackow wrote:
                          >
                          > > I find that SPF records are a bit of a joke.
                          >
                          > There is a longstanding taboo against discussing the merits of SPF on
                          > this list, so let's not pursue this tangent. While the OP does not
                          > discuss any issues specific to Postfix, it's not unusual to see
                          > questions about interoperability and best practices here, since many
                          > experienced MTA administrators read this list. Since this was a
                          > system health question, it seemed appropriate to answer on those points
                          > (but I'm not the list maintainer, so I could be wrong). Otherwise, it's
                          > best not to mention SPF here, as it tends to result in endless threads
                          > and flamewars.

                          I concur. Lets stay away from the merits of SPF. The original
                          question was how in practice should an MTA operator deal with it.

                          Wietse
                        • Peter Rabbitson
                          ... I second that. I did not mean to start a flamewar, I was asking for a practical advice on a very controversial issue. I pretty much got the response I was
                          Message 12 of 27 , Jul 31, 2007
                            Jorey Bump wrote:
                            > Gene Rackow wrote:
                            >
                            >> I find that SPF records are a bit of a joke.
                            >
                            > There is a longstanding taboo against discussing the merits of SPF on
                            > this list, so let's not pursue this tangent. While the OP does not
                            > discuss any issues specific to Postfix, it's not unusual to see
                            > questions about interoperability and best practices here, since many
                            > experienced MTA administrators read this list. Since this was a
                            > system health question, it seemed appropriate to answer on those points
                            > (but I'm not the list maintainer, so I could be wrong). Otherwise, it's
                            > best not to mention SPF here, as it tends to result in endless threads
                            > and flamewars.

                            I second that. I did not mean to start a flamewar, I was asking for a
                            practical advice on a very controversial issue. I pretty much got the
                            response I was expecting - do not publish any records at all until times
                            change.
                          • Gene Rackow
                            ... You are right. My bad. The reason I posted what I did was to give a couple of examples on what can happen when you use various configurations.
                            Message 13 of 27 , Jul 31, 2007
                              Wietse Venema made the following keystrokes:
                              >I concur. Lets stay away from the merits of SPF. The original
                              >question was how in practice should an MTA operator deal with it.
                              >
                              > Wietse
                              You are right. My bad. The reason I posted what I did was
                              to give a couple of examples on what can happen when you
                              use various configurations.
                            • M. Fioretti
                              On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson ... me too... ... There is the fact that publishing SPF records is requirement #4 of
                              Message 14 of 27 , Jul 31, 2007
                                On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson
                                (rabbit@...) wrote:

                                > I am trying to figure out what should I do with SPF domain records

                                me too...

                                > Googling confused me even more hence this question to the list:

                                same here. However, even if another message of this thread said:

                                > Few tests involving gmail, yahoo and hotmail didn't show noticeable
                                > benefits from SPF records.

                                There is the fact that publishing SPF records is requirement #4
                                of http://postmaster.msn.com/Guidelines.aspx

                                In other words, without going at all (please, please!!!!) into any
                                variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
                                day-to-day survival level, publishing an SPF record _is_ a thing to
                                do.

                                Unless, of course, one can really afford to say "probably we'll never
                                be able to send email to any Hotmail user, hey who cares!" to himself
                                and ALL the users of his email server. Is this correct?

                                If yes, the most practical, yet tolerant solution is B), right?

                                > B) Publish an explicit record

                                Thanks,
                                Marco

                                --
                                The one book on software and digital technologies that no
                                parent can ignore: http://digifreedom.net
                              • Jorey Bump
                                ... It is not listed as a requirement on that page, but highly recommended . ... AFAIK, SPF was never intended to punish sites that choose not to publish an
                                Message 15 of 27 , Jul 31, 2007
                                  M. Fioretti wrote:

                                  > There is the fact that publishing SPF records is requirement #4
                                  > of http://postmaster.msn.com/Guidelines.aspx

                                  It is not listed as a requirement on that page, but "highly recommended".

                                  > In other words, without going at all (please, please!!!!) into any
                                  > variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
                                  > day-to-day survival level, publishing an SPF record _is_ a thing to
                                  > do.
                                  >
                                  > Unless, of course, one can really afford to say "probably we'll never
                                  > be able to send email to any Hotmail user, hey who cares!" to himself
                                  > and ALL the users of his email server. Is this correct?
                                  >
                                  > If yes, the most practical, yet tolerant solution is B), right?
                                  >
                                  >> B) Publish an explicit record

                                  AFAIK, SPF was never intended to punish sites that choose not to publish
                                  an SPF record. If an SPF record exists, a site is free to determine
                                  local policy for handling mail from that domain (such as reducing the
                                  spam score if it originates from an authorized server, and increasing
                                  the spam score if it does not). Tolerance demands that an absent SPF
                                  record is not weighted, since there is no industry or standards body
                                  requirement that it exists. The same could be said about MX records.

                                  Anyone suggesting that the absence of an SPF record will contribute to
                                  or result in rejected mail must provide evidence. I think most would
                                  agree that this would be an inappropriate use of SPF, regardless of
                                  their opinion of its merits.
                                • Chris Horry
                                  ... Hash: SHA1 ... Go with B). As others have said, the benefits outweigh the risks. Some idiot mail admins will block based on SPF information which is the
                                  Message 16 of 27 , Jul 31, 2007
                                    -----BEGIN PGP SIGNED MESSAGE-----
                                    Hash: SHA1

                                    Peter Rabbitson wrote:
                                    > Hello,
                                    >
                                    > I am trying to figure out what should I do with SPF domain records given
                                    > the current state of affairs with SPF/SenderID. I am not interested in
                                    > filtering incoming mail based on SPF, I just want to adjust my DNS
                                    > records to be as compatible with the rest of the world as possible.
                                    >
                                    > Most of my mail originates in-house, with a handfull of users sending
                                    > mail through a static number of ISP servers. Roaming users have access
                                    > to a VPN, so they qualify as in-house as well.
                                    >
                                    > Googling confused me even more hence this question to the list:
                                    >
                                    > What should a domain admin do to achieve maximum interoperability while
                                    > sending _outgoing_ mails?
                                    >
                                    > A) Not publish any records at all
                                    > B) Publish an explicit record
                                    > C) Publish a relaxed record (should it end with ~all or ?all ?)

                                    Go with B). As others have said, the benefits outweigh the risks. Some
                                    idiot mail admins will block based on SPF information which is the
                                    biggest risk.

                                    My recommendation for SPF filters is to use it with a score based
                                    system, otherwise you WILL have collateral damage. SpamAssassin works well.

                                    Chris

                                    - --
                                    Chris Horry KG4TSM "A conservative is a man with two perfectly
                                    zerbey@... good legs who, however, has never learned how
                                    http://www.wibble.co.uk to walk forward". -- Franklin D. Roosevelt

                                    -----BEGIN PGP SIGNATURE-----
                                    Version: GnuPG v1.4.7 (MingW32)
                                    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

                                    iD8DBQFGr5dWnAAeGCtMZU4RAuv7AJ9HjNpR1cKkrwie+O/dJSwdapmSbACglvcY
                                    c2cQTsSKgrBL6TzQejAUNbw=
                                    =jBH3
                                    -----END PGP SIGNATURE-----
                                  • mouss
                                    ... What I said is based on very few tests and personal judgement. I can t do real test for obvious reasons (that would be abuse). If your mail is tagged as
                                    Message 17 of 27 , Jul 31, 2007
                                      M. Fioretti wrote:
                                      > On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson
                                      > (rabbit@...) wrote:
                                      >
                                      >
                                      >> I am trying to figure out what should I do with SPF domain records
                                      >>
                                      >
                                      > me too...
                                      >
                                      >
                                      >> Googling confused me even more hence this question to the list:
                                      >>
                                      >
                                      > same here. However, even if another message of this thread said:
                                      >
                                      >
                                      >> Few tests involving gmail, yahoo and hotmail didn't show noticeable
                                      >> benefits from SPF records.
                                      >>
                                      >
                                      > There is the fact that publishing SPF records is requirement #4
                                      > of http://postmaster.msn.com/Guidelines.aspx
                                      >
                                      > In other words, without going at all (please, please!!!!) into any
                                      > variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
                                      > day-to-day survival level, publishing an SPF record _is_ a thing to
                                      > do.
                                      >

                                      What I said is based on very few tests and personal judgement. I can't
                                      do real test for obvious reasons (that would be abuse).

                                      If your mail is tagged as spam by hotmail or yahoo, start by filling in
                                      their forms. Their "questions" are helpful anyway.

                                      > Unless, of course, one can really afford to say "probably we'll never
                                      > be able to send email to any Hotmail user, hey who cares!" to himself
                                      > and ALL the users of his email server. Is this correct?
                                      >
                                      > If yes, the most practical, yet tolerant solution is B), right?
                                      >

                                      yes. and you would also need to implement DKIM to please yahoo.
                                      >
                                      >> B) Publish an explicit record
                                      >>
                                      >
                                      > Thanks,
                                      > Marco
                                      >
                                      >
                                    • Erwan David
                                      Le Tue 31/07/2007, M. Fioretti disait ... This choice forbids your users to use the mail in way they were allowed to before. You restrict their service. Now
                                      Message 18 of 27 , Jul 31, 2007
                                        Le Tue 31/07/2007, M. Fioretti disait
                                        >
                                        > If yes, the most practical, yet tolerant solution is B), right?
                                        >
                                        > > B) Publish an explicit record

                                        This choice forbids your users to use the mail in way they were allowed to
                                        before. You restrict their service. Now its up to whoever decides the policy to take the decision. Which is not neutral.

                                        --
                                        Erwan
                                      • Scott Kitterman
                                        ... Actually it s still DK at Yahoo. Scott K
                                        Message 19 of 27 , Jul 31, 2007
                                          On Tuesday 31 July 2007 16:41, mouss wrote:

                                          > yes. and you would also need to implement DKIM to please yahoo.
                                          >
                                          Actually it's still DK at Yahoo.

                                          Scott K
                                        • Victor Duchovni
                                          ... We have drifted away from implementation/interop issues... Lets close this thread. Thanks. -- Viktor. Disclaimer: off-list followups get on-list replies or
                                          Message 20 of 27 , Jul 31, 2007
                                            On Tue, Jul 31, 2007 at 10:46:08PM +0200, Erwan David wrote:

                                            > This choice forbids your users to use the mail in way they were allowed to
                                            > before. You restrict their service. Now its up to whoever decides the policy to take the decision. Which is not neutral.

                                            We have drifted away from implementation/interop issues... Lets close
                                            this thread. Thanks.

                                            --
                                            Viktor.

                                            Disclaimer: off-list followups get on-list replies or get ignored.
                                            Please do not ignore the "Reply-To" header.

                                            To unsubscribe from the postfix-users list, visit
                                            http://www.postfix.org/lists.html or click the link below:
                                            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                            If my response solves your problem, the best way to thank me is to not
                                            send an "it worked, thanks" follow-up. If you must respond, please put
                                            "It worked, thanks" in the "Subject" so I can delete these quickly.
                                          • mouss
                                            ... I know, but DKIM should get them happy, in theory at least. now, let me stop speculating...
                                            Message 21 of 27 , Jul 31, 2007
                                              Scott Kitterman wrote:
                                              > On Tuesday 31 July 2007 16:41, mouss wrote:
                                              >
                                              >
                                              >> yes. and you would also need to implement DKIM to please yahoo.
                                              >>
                                              >>
                                              > Actually it's still DK at Yahoo.
                                              >

                                              I know, but DKIM should get them happy, in theory at least. now, let me
                                              stop speculating...
                                            • Victor Duchovni
                                              ... Rumour has it that Yahoo will be converting to DKIM in the not too distant future. -- Viktor. Disclaimer: off-list followups get on-list replies or get
                                              Message 22 of 27 , Jul 31, 2007
                                                On Tue, Jul 31, 2007 at 11:07:11PM +0200, mouss wrote:

                                                > I know, but DKIM should get them happy, in theory at least. now, let me
                                                > stop speculating...

                                                Rumour has it that Yahoo will be converting to DKIM in the not too
                                                distant future.

                                                --
                                                Viktor.

                                                Disclaimer: off-list followups get on-list replies or get ignored.
                                                Please do not ignore the "Reply-To" header.

                                                To unsubscribe from the postfix-users list, visit
                                                http://www.postfix.org/lists.html or click the link below:
                                                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                                If my response solves your problem, the best way to thank me is to not
                                                send an "it worked, thanks" follow-up. If you must respond, please put
                                                "It worked, thanks" in the "Subject" so I can delete these quickly.
                                              • RW
                                                ... I agree wholeheartedly! ... Here is another with some real-world statistics that show how spammers use SPF:
                                                Message 23 of 27 , Jul 31, 2007
                                                  On Tue, 31 Jul 2007 16:10:13 +0200, mouss wrote:

                                                  >Peter Rabbitson wrote:
                                                  >> Hello,
                                                  >>
                                                  >> I am trying to figure out what should I do with SPF domain records
                                                  >> given the current state of affairs with SPF/SenderID. I am not
                                                  >> interested in filtering incoming mail based on SPF, I just want to
                                                  >> adjust my DNS records to be as compatible with the rest of the world
                                                  >> as possible.
                                                  >>
                                                  >> Most of my mail originates in-house, with a handfull of users sending
                                                  >> mail through a static number of ISP servers. Roaming users have access
                                                  >> to a VPN, so they qualify as in-house as well.
                                                  >>
                                                  >> Googling confused me even more hence this question to the list:
                                                  >>
                                                  >> What should a domain admin do to achieve maximum interoperability
                                                  >> while sending _outgoing_ mails?
                                                  >>
                                                  >> A) Not publish any records at all
                                                  >> B) Publish an explicit record
                                                  >> C) Publish a relaxed record (should it end with ~all or ?all ?)
                                                  >>
                                                  >>
                                                  >
                                                  >If you publish SPF records, avoid publishing "loose" onces. There is no
                                                  >point saying that users can send from anywhere: This is what lack of SPF
                                                  >records means!
                                                  >
                                                  >If you have no problem getting your email delivered, then there is no
                                                  >reason to add SPF records.

                                                  I agree wholeheartedly!

                                                  >
                                                  >here is an interesting article:
                                                  > http://www.circleid.com/posts/spf_loses_mindshare/

                                                  Here is another with some real-world statistics that show how spammers
                                                  use SPF:
                                                  http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last


                                                  Rod/
                                                  From the land "down under": Australia.
                                                  Do we look <umop apisdn> from up over?
                                                • Angelos Karageorgiou
                                                  well I have my spamassassin tuned to increase spamscore on mismatching spf records
                                                  Message 24 of 27 , Aug 1 1:18 AM
                                                    well I have my spamassassin tuned to increase spamscore on mismatching
                                                    spf records

                                                    O/H Jorey Bump έγραψε:
                                                    >
                                                    > I choose A. I have never published an SPF record, and it has not
                                                    > impaired my mail servers, destination domains, or users in any way.
                                                    > The absence of an SPF record is unlikely to carry any penalty.
                                                    >
                                                  • Udo Rader
                                                    ... This is indeed interesting material, never saw it from this way. Spammers actively using SPF records, weird. Thanks for pointing this out. ... hopefully
                                                    Message 25 of 27 , Aug 1 1:52 AM
                                                      On Wed, 2007-08-01 at 08:59 +1000, RW wrote:
                                                      > On Tue, 31 Jul 2007 16:10:13 +0200, mouss wrote:
                                                      >
                                                      > >Peter Rabbitson wrote:
                                                      > >> Hello,
                                                      > >>
                                                      > >> I am trying to figure out what should I do with SPF domain records
                                                      > >> given the current state of affairs with SPF/SenderID. I am not
                                                      > >> interested in filtering incoming mail based on SPF, I just want to
                                                      > >> adjust my DNS records to be as compatible with the rest of the world
                                                      > >> as possible.
                                                      > >>
                                                      > >> Most of my mail originates in-house, with a handfull of users sending
                                                      > >> mail through a static number of ISP servers. Roaming users have access
                                                      > >> to a VPN, so they qualify as in-house as well.
                                                      > >>
                                                      > >> Googling confused me even more hence this question to the list:
                                                      > >>
                                                      > >> What should a domain admin do to achieve maximum interoperability
                                                      > >> while sending _outgoing_ mails?
                                                      > >>
                                                      > >> A) Not publish any records at all
                                                      > >> B) Publish an explicit record
                                                      > >> C) Publish a relaxed record (should it end with ~all or ?all ?)
                                                      > >>
                                                      > >>
                                                      > >
                                                      > >If you publish SPF records, avoid publishing "loose" onces. There is no
                                                      > >point saying that users can send from anywhere: This is what lack of SPF
                                                      > >records means!
                                                      > >
                                                      > >If you have no problem getting your email delivered, then there is no
                                                      > >reason to add SPF records.
                                                      >
                                                      > I agree wholeheartedly!
                                                      >
                                                      > >
                                                      > >here is an interesting article:
                                                      > > http://www.circleid.com/posts/spf_loses_mindshare/
                                                      >
                                                      > Here is another with some real-world statistics that show how spammers
                                                      > use SPF:
                                                      > http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last

                                                      This is indeed interesting material, never saw it from this way.
                                                      Spammers actively using SPF records, weird.

                                                      Thanks for pointing this out.

                                                      ... hopefully the ML admins still bear with us and this evil thread :-)

                                                      --
                                                      Udo Rader

                                                      bestsolution.at EDV Systemhaus GmbH
                                                      http://www.bestsolution.at
                                                    • RW
                                                      ... No more from me! I saw Wietse s message after I had posted or it would not have gone to the list. I listen to my benefactor...... Rod/ From the land down
                                                      Message 26 of 27 , Aug 1 2:26 AM
                                                        >> http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last
                                                        >
                                                        >This is indeed interesting material, never saw it from this way.
                                                        >Spammers actively using SPF records, weird.
                                                        >
                                                        >Thanks for pointing this out.
                                                        >
                                                        >... hopefully the ML admins still bear with us and this evil thread :-)
                                                        >

                                                        No more from me! I saw Wietse's message after I had posted or it would
                                                        not have gone to the list.

                                                        I listen to my benefactor......

                                                        Rod/
                                                        From the land "down under": Australia.
                                                        Do we look <umop apisdn> from up over?
                                                      • Jorey Bump
                                                        ... So do I. This can be useful for detecting forgeries. It still does not impose a penalty when no SPF record is published.
                                                        Message 27 of 27 , Aug 1 5:17 AM
                                                          Angelos Karageorgiou wrote:
                                                          > well I have my spamassassin tuned to increase spamscore on mismatching
                                                          > spf records

                                                          So do I. This can be useful for detecting forgeries. It still does not
                                                          impose a penalty when no SPF record is published.

                                                          > O/H Jorey Bump έγραψε:
                                                          >>
                                                          >> I choose A. I have never published an SPF record, and it has not
                                                          >> impaired my mail servers, destination domains, or users in any way.
                                                          >> The absence of an SPF record is unlikely to carry any penalty.
                                                        Your message has been successfully submitted and would be delivered to recipients shortly.