Loading ...
Sorry, an error occurred while loading the content.
 

Re: SPF interoperability question

Expand Messages
  • Wietse Venema
    ... I concur. Lets stay away from the merits of SPF. The original question was how in practice should an MTA operator deal with it. Wietse
    Message 1 of 27 , Jul 31, 2007
      Jorey Bump:
      > Gene Rackow wrote:
      >
      > > I find that SPF records are a bit of a joke.
      >
      > There is a longstanding taboo against discussing the merits of SPF on
      > this list, so let's not pursue this tangent. While the OP does not
      > discuss any issues specific to Postfix, it's not unusual to see
      > questions about interoperability and best practices here, since many
      > experienced MTA administrators read this list. Since this was a
      > system health question, it seemed appropriate to answer on those points
      > (but I'm not the list maintainer, so I could be wrong). Otherwise, it's
      > best not to mention SPF here, as it tends to result in endless threads
      > and flamewars.

      I concur. Lets stay away from the merits of SPF. The original
      question was how in practice should an MTA operator deal with it.

      Wietse
    • Peter Rabbitson
      ... I second that. I did not mean to start a flamewar, I was asking for a practical advice on a very controversial issue. I pretty much got the response I was
      Message 2 of 27 , Jul 31, 2007
        Jorey Bump wrote:
        > Gene Rackow wrote:
        >
        >> I find that SPF records are a bit of a joke.
        >
        > There is a longstanding taboo against discussing the merits of SPF on
        > this list, so let's not pursue this tangent. While the OP does not
        > discuss any issues specific to Postfix, it's not unusual to see
        > questions about interoperability and best practices here, since many
        > experienced MTA administrators read this list. Since this was a
        > system health question, it seemed appropriate to answer on those points
        > (but I'm not the list maintainer, so I could be wrong). Otherwise, it's
        > best not to mention SPF here, as it tends to result in endless threads
        > and flamewars.

        I second that. I did not mean to start a flamewar, I was asking for a
        practical advice on a very controversial issue. I pretty much got the
        response I was expecting - do not publish any records at all until times
        change.
      • Gene Rackow
        ... You are right. My bad. The reason I posted what I did was to give a couple of examples on what can happen when you use various configurations.
        Message 3 of 27 , Jul 31, 2007
          Wietse Venema made the following keystrokes:
          >I concur. Lets stay away from the merits of SPF. The original
          >question was how in practice should an MTA operator deal with it.
          >
          > Wietse
          You are right. My bad. The reason I posted what I did was
          to give a couple of examples on what can happen when you
          use various configurations.
        • M. Fioretti
          On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson ... me too... ... There is the fact that publishing SPF records is requirement #4 of
          Message 4 of 27 , Jul 31, 2007
            On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson
            (rabbit@...) wrote:

            > I am trying to figure out what should I do with SPF domain records

            me too...

            > Googling confused me even more hence this question to the list:

            same here. However, even if another message of this thread said:

            > Few tests involving gmail, yahoo and hotmail didn't show noticeable
            > benefits from SPF records.

            There is the fact that publishing SPF records is requirement #4
            of http://postmaster.msn.com/Guidelines.aspx

            In other words, without going at all (please, please!!!!) into any
            variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
            day-to-day survival level, publishing an SPF record _is_ a thing to
            do.

            Unless, of course, one can really afford to say "probably we'll never
            be able to send email to any Hotmail user, hey who cares!" to himself
            and ALL the users of his email server. Is this correct?

            If yes, the most practical, yet tolerant solution is B), right?

            > B) Publish an explicit record

            Thanks,
            Marco

            --
            The one book on software and digital technologies that no
            parent can ignore: http://digifreedom.net
          • Jorey Bump
            ... It is not listed as a requirement on that page, but highly recommended . ... AFAIK, SPF was never intended to punish sites that choose not to publish an
            Message 5 of 27 , Jul 31, 2007
              M. Fioretti wrote:

              > There is the fact that publishing SPF records is requirement #4
              > of http://postmaster.msn.com/Guidelines.aspx

              It is not listed as a requirement on that page, but "highly recommended".

              > In other words, without going at all (please, please!!!!) into any
              > variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
              > day-to-day survival level, publishing an SPF record _is_ a thing to
              > do.
              >
              > Unless, of course, one can really afford to say "probably we'll never
              > be able to send email to any Hotmail user, hey who cares!" to himself
              > and ALL the users of his email server. Is this correct?
              >
              > If yes, the most practical, yet tolerant solution is B), right?
              >
              >> B) Publish an explicit record

              AFAIK, SPF was never intended to punish sites that choose not to publish
              an SPF record. If an SPF record exists, a site is free to determine
              local policy for handling mail from that domain (such as reducing the
              spam score if it originates from an authorized server, and increasing
              the spam score if it does not). Tolerance demands that an absent SPF
              record is not weighted, since there is no industry or standards body
              requirement that it exists. The same could be said about MX records.

              Anyone suggesting that the absence of an SPF record will contribute to
              or result in rejected mail must provide evidence. I think most would
              agree that this would be an inappropriate use of SPF, regardless of
              their opinion of its merits.
            • Chris Horry
              ... Hash: SHA1 ... Go with B). As others have said, the benefits outweigh the risks. Some idiot mail admins will block based on SPF information which is the
              Message 6 of 27 , Jul 31, 2007
                -----BEGIN PGP SIGNED MESSAGE-----
                Hash: SHA1

                Peter Rabbitson wrote:
                > Hello,
                >
                > I am trying to figure out what should I do with SPF domain records given
                > the current state of affairs with SPF/SenderID. I am not interested in
                > filtering incoming mail based on SPF, I just want to adjust my DNS
                > records to be as compatible with the rest of the world as possible.
                >
                > Most of my mail originates in-house, with a handfull of users sending
                > mail through a static number of ISP servers. Roaming users have access
                > to a VPN, so they qualify as in-house as well.
                >
                > Googling confused me even more hence this question to the list:
                >
                > What should a domain admin do to achieve maximum interoperability while
                > sending _outgoing_ mails?
                >
                > A) Not publish any records at all
                > B) Publish an explicit record
                > C) Publish a relaxed record (should it end with ~all or ?all ?)

                Go with B). As others have said, the benefits outweigh the risks. Some
                idiot mail admins will block based on SPF information which is the
                biggest risk.

                My recommendation for SPF filters is to use it with a score based
                system, otherwise you WILL have collateral damage. SpamAssassin works well.

                Chris

                - --
                Chris Horry KG4TSM "A conservative is a man with two perfectly
                zerbey@... good legs who, however, has never learned how
                http://www.wibble.co.uk to walk forward". -- Franklin D. Roosevelt

                -----BEGIN PGP SIGNATURE-----
                Version: GnuPG v1.4.7 (MingW32)
                Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

                iD8DBQFGr5dWnAAeGCtMZU4RAuv7AJ9HjNpR1cKkrwie+O/dJSwdapmSbACglvcY
                c2cQTsSKgrBL6TzQejAUNbw=
                =jBH3
                -----END PGP SIGNATURE-----
              • mouss
                ... What I said is based on very few tests and personal judgement. I can t do real test for obvious reasons (that would be abuse). If your mail is tagged as
                Message 7 of 27 , Jul 31, 2007
                  M. Fioretti wrote:
                  > On Tue, Jul 31, 2007 15:04:24 PM +0200, Peter Rabbitson
                  > (rabbit@...) wrote:
                  >
                  >
                  >> I am trying to figure out what should I do with SPF domain records
                  >>
                  >
                  > me too...
                  >
                  >
                  >> Googling confused me even more hence this question to the list:
                  >>
                  >
                  > same here. However, even if another message of this thread said:
                  >
                  >
                  >> Few tests involving gmail, yahoo and hotmail didn't show noticeable
                  >> benefits from SPF records.
                  >>
                  >
                  > There is the fact that publishing SPF records is requirement #4
                  > of http://postmaster.msn.com/Guidelines.aspx
                  >
                  > In other words, without going at all (please, please!!!!) into any
                  > variant of "MS s%&$cks!" it does _look_ that, on a strictly practical,
                  > day-to-day survival level, publishing an SPF record _is_ a thing to
                  > do.
                  >

                  What I said is based on very few tests and personal judgement. I can't
                  do real test for obvious reasons (that would be abuse).

                  If your mail is tagged as spam by hotmail or yahoo, start by filling in
                  their forms. Their "questions" are helpful anyway.

                  > Unless, of course, one can really afford to say "probably we'll never
                  > be able to send email to any Hotmail user, hey who cares!" to himself
                  > and ALL the users of his email server. Is this correct?
                  >
                  > If yes, the most practical, yet tolerant solution is B), right?
                  >

                  yes. and you would also need to implement DKIM to please yahoo.
                  >
                  >> B) Publish an explicit record
                  >>
                  >
                  > Thanks,
                  > Marco
                  >
                  >
                • Erwan David
                  Le Tue 31/07/2007, M. Fioretti disait ... This choice forbids your users to use the mail in way they were allowed to before. You restrict their service. Now
                  Message 8 of 27 , Jul 31, 2007
                    Le Tue 31/07/2007, M. Fioretti disait
                    >
                    > If yes, the most practical, yet tolerant solution is B), right?
                    >
                    > > B) Publish an explicit record

                    This choice forbids your users to use the mail in way they were allowed to
                    before. You restrict their service. Now its up to whoever decides the policy to take the decision. Which is not neutral.

                    --
                    Erwan
                  • Scott Kitterman
                    ... Actually it s still DK at Yahoo. Scott K
                    Message 9 of 27 , Jul 31, 2007
                      On Tuesday 31 July 2007 16:41, mouss wrote:

                      > yes. and you would also need to implement DKIM to please yahoo.
                      >
                      Actually it's still DK at Yahoo.

                      Scott K
                    • Victor Duchovni
                      ... We have drifted away from implementation/interop issues... Lets close this thread. Thanks. -- Viktor. Disclaimer: off-list followups get on-list replies or
                      Message 10 of 27 , Jul 31, 2007
                        On Tue, Jul 31, 2007 at 10:46:08PM +0200, Erwan David wrote:

                        > This choice forbids your users to use the mail in way they were allowed to
                        > before. You restrict their service. Now its up to whoever decides the policy to take the decision. Which is not neutral.

                        We have drifted away from implementation/interop issues... Lets close
                        this thread. Thanks.

                        --
                        Viktor.

                        Disclaimer: off-list followups get on-list replies or get ignored.
                        Please do not ignore the "Reply-To" header.

                        To unsubscribe from the postfix-users list, visit
                        http://www.postfix.org/lists.html or click the link below:
                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                        If my response solves your problem, the best way to thank me is to not
                        send an "it worked, thanks" follow-up. If you must respond, please put
                        "It worked, thanks" in the "Subject" so I can delete these quickly.
                      • mouss
                        ... I know, but DKIM should get them happy, in theory at least. now, let me stop speculating...
                        Message 11 of 27 , Jul 31, 2007
                          Scott Kitterman wrote:
                          > On Tuesday 31 July 2007 16:41, mouss wrote:
                          >
                          >
                          >> yes. and you would also need to implement DKIM to please yahoo.
                          >>
                          >>
                          > Actually it's still DK at Yahoo.
                          >

                          I know, but DKIM should get them happy, in theory at least. now, let me
                          stop speculating...
                        • Victor Duchovni
                          ... Rumour has it that Yahoo will be converting to DKIM in the not too distant future. -- Viktor. Disclaimer: off-list followups get on-list replies or get
                          Message 12 of 27 , Jul 31, 2007
                            On Tue, Jul 31, 2007 at 11:07:11PM +0200, mouss wrote:

                            > I know, but DKIM should get them happy, in theory at least. now, let me
                            > stop speculating...

                            Rumour has it that Yahoo will be converting to DKIM in the not too
                            distant future.

                            --
                            Viktor.

                            Disclaimer: off-list followups get on-list replies or get ignored.
                            Please do not ignore the "Reply-To" header.

                            To unsubscribe from the postfix-users list, visit
                            http://www.postfix.org/lists.html or click the link below:
                            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                            If my response solves your problem, the best way to thank me is to not
                            send an "it worked, thanks" follow-up. If you must respond, please put
                            "It worked, thanks" in the "Subject" so I can delete these quickly.
                          • RW
                            ... I agree wholeheartedly! ... Here is another with some real-world statistics that show how spammers use SPF:
                            Message 13 of 27 , Jul 31, 2007
                              On Tue, 31 Jul 2007 16:10:13 +0200, mouss wrote:

                              >Peter Rabbitson wrote:
                              >> Hello,
                              >>
                              >> I am trying to figure out what should I do with SPF domain records
                              >> given the current state of affairs with SPF/SenderID. I am not
                              >> interested in filtering incoming mail based on SPF, I just want to
                              >> adjust my DNS records to be as compatible with the rest of the world
                              >> as possible.
                              >>
                              >> Most of my mail originates in-house, with a handfull of users sending
                              >> mail through a static number of ISP servers. Roaming users have access
                              >> to a VPN, so they qualify as in-house as well.
                              >>
                              >> Googling confused me even more hence this question to the list:
                              >>
                              >> What should a domain admin do to achieve maximum interoperability
                              >> while sending _outgoing_ mails?
                              >>
                              >> A) Not publish any records at all
                              >> B) Publish an explicit record
                              >> C) Publish a relaxed record (should it end with ~all or ?all ?)
                              >>
                              >>
                              >
                              >If you publish SPF records, avoid publishing "loose" onces. There is no
                              >point saying that users can send from anywhere: This is what lack of SPF
                              >records means!
                              >
                              >If you have no problem getting your email delivered, then there is no
                              >reason to add SPF records.

                              I agree wholeheartedly!

                              >
                              >here is an interesting article:
                              > http://www.circleid.com/posts/spf_loses_mindshare/

                              Here is another with some real-world statistics that show how spammers
                              use SPF:
                              http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last


                              Rod/
                              From the land "down under": Australia.
                              Do we look <umop apisdn> from up over?
                            • Angelos Karageorgiou
                              well I have my spamassassin tuned to increase spamscore on mismatching spf records
                              Message 14 of 27 , Aug 1, 2007
                                well I have my spamassassin tuned to increase spamscore on mismatching
                                spf records

                                O/H Jorey Bump έγραψε:
                                >
                                > I choose A. I have never published an SPF record, and it has not
                                > impaired my mail servers, destination domains, or users in any way.
                                > The absence of an SPF record is unlikely to carry any penalty.
                                >
                              • Udo Rader
                                ... This is indeed interesting material, never saw it from this way. Spammers actively using SPF records, weird. Thanks for pointing this out. ... hopefully
                                Message 15 of 27 , Aug 1, 2007
                                  On Wed, 2007-08-01 at 08:59 +1000, RW wrote:
                                  > On Tue, 31 Jul 2007 16:10:13 +0200, mouss wrote:
                                  >
                                  > >Peter Rabbitson wrote:
                                  > >> Hello,
                                  > >>
                                  > >> I am trying to figure out what should I do with SPF domain records
                                  > >> given the current state of affairs with SPF/SenderID. I am not
                                  > >> interested in filtering incoming mail based on SPF, I just want to
                                  > >> adjust my DNS records to be as compatible with the rest of the world
                                  > >> as possible.
                                  > >>
                                  > >> Most of my mail originates in-house, with a handfull of users sending
                                  > >> mail through a static number of ISP servers. Roaming users have access
                                  > >> to a VPN, so they qualify as in-house as well.
                                  > >>
                                  > >> Googling confused me even more hence this question to the list:
                                  > >>
                                  > >> What should a domain admin do to achieve maximum interoperability
                                  > >> while sending _outgoing_ mails?
                                  > >>
                                  > >> A) Not publish any records at all
                                  > >> B) Publish an explicit record
                                  > >> C) Publish a relaxed record (should it end with ~all or ?all ?)
                                  > >>
                                  > >>
                                  > >
                                  > >If you publish SPF records, avoid publishing "loose" onces. There is no
                                  > >point saying that users can send from anywhere: This is what lack of SPF
                                  > >records means!
                                  > >
                                  > >If you have no problem getting your email delivered, then there is no
                                  > >reason to add SPF records.
                                  >
                                  > I agree wholeheartedly!
                                  >
                                  > >
                                  > >here is an interesting article:
                                  > > http://www.circleid.com/posts/spf_loses_mindshare/
                                  >
                                  > Here is another with some real-world statistics that show how spammers
                                  > use SPF:
                                  > http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last

                                  This is indeed interesting material, never saw it from this way.
                                  Spammers actively using SPF records, weird.

                                  Thanks for pointing this out.

                                  ... hopefully the ML admins still bear with us and this evil thread :-)

                                  --
                                  Udo Rader

                                  bestsolution.at EDV Systemhaus GmbH
                                  http://www.bestsolution.at
                                • RW
                                  ... No more from me! I saw Wietse s message after I had posted or it would not have gone to the list. I listen to my benefactor...... Rod/ From the land down
                                  Message 16 of 27 , Aug 1, 2007
                                    >> http://www.onlamp.com/pub/a/bsd/2004/10/28/openbsd_3_6.html?page=last
                                    >
                                    >This is indeed interesting material, never saw it from this way.
                                    >Spammers actively using SPF records, weird.
                                    >
                                    >Thanks for pointing this out.
                                    >
                                    >... hopefully the ML admins still bear with us and this evil thread :-)
                                    >

                                    No more from me! I saw Wietse's message after I had posted or it would
                                    not have gone to the list.

                                    I listen to my benefactor......

                                    Rod/
                                    From the land "down under": Australia.
                                    Do we look <umop apisdn> from up over?
                                  • Jorey Bump
                                    ... So do I. This can be useful for detecting forgeries. It still does not impose a penalty when no SPF record is published.
                                    Message 17 of 27 , Aug 1, 2007
                                      Angelos Karageorgiou wrote:
                                      > well I have my spamassassin tuned to increase spamscore on mismatching
                                      > spf records

                                      So do I. This can be useful for detecting forgeries. It still does not
                                      impose a penalty when no SPF record is published.

                                      > O/H Jorey Bump έγραψε:
                                      >>
                                      >> I choose A. I have never published an SPF record, and it has not
                                      >> impaired my mail servers, destination domains, or users in any way.
                                      >> The absence of an SPF record is unlikely to carry any penalty.
                                    Your message has been successfully submitted and would be delivered to recipients shortly.