Re: Mailing list SPF Failure

[Karl Auer]

On Fri, 2024-05-17 at 08:13 +0300, Hank Nussbacher wrote:
> On 17/05/2024 5:45, Karl Auer wrote:
> > https://support.google.com/a/answer/81126
> 
> I think some may have missed these announcements:
> 
> https://labs.ripe.net/author/fergalc/enhancing-email-delivery-at-the-ripe-ncc/
> 
> https://blog.google/products/gmail/gmail-security-authentication-spam-protection/

The first of your links points to a page containing a link to the
second. The second of your links points to a page containing the the
link I gave, with link text "clear guidance".

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au, he/him)
http://www.biplane.com.au/kauer

Re: Mailing list SPF Failure

[Hank Nussbacher]

On 17/05/2024 5:45, Karl Auer wrote:

On Thu, 2024-05-16 at 19:27 -0700, Michael Thomas wrote:

On 5/16/24 7:22 PM, Scott Q. wrote:

Mike, you do realize Google/Gmail rejects e-mails with
invalid/missing SPF right ?

I was receiving the mail while NANOG had no SPF record, so no? Any
receiver would be really stupid take a single signal as
disqualifying.

For small-scale senders, it's either or both. For large-scale senders
(5000+ per day) it's both.

At least according to this:

https://support.google.com/a/answer/81126


I think some may have missed these announcements:

https://labs.ripe.net/author/fergalc/enhancing-email-delivery-at-the-ripe-ncc/

https://blog.google/products/gmail/gmail-security-authentication-spam-protection/


Regards,

Hank

Re: Mailing list SPF Failure

[Tom Beecher]

Same, this address for me is also gmail.

This is what Gmail shows me from earlier today, when the SPF record was not
present :

Message ID <
bff409fd0177c9caf1461e2439691...@polarismail--com.w.emailarray.com>
Created at: Thu, May 16, 2024 at 11:59 AM (Delivered after 77 seconds)
From: "Scott Q."  Using Group-Office
To: Michael Thomas , nanog@nanog.org
Subject: Re: Mailing list SPF Failure
SPF: NONE with IP 50.31.151.76 Learn more


Message ID <74b33cf0-b7c4-46ac-8154-1cfca082e...@mtcc.com>
Created at: Thu, May 16, 2024 at 2:13 PM (Delivered after 85 seconds)
From: Michael Thomas 
To: "Scott Q." , nanog@nanog.org
Subject: Re: Mailing list SPF Failure
SPF: NONE with IP 50.31.151.76 Learn more
DKIM: 'PASS' with domain mtcc.com Learn more


Message ID <20240516190341.beb6f8b53...@ary.qy>
Created at: Thu, May 16, 2024 at 3:03 PM (Delivered after 79 seconds)
From: John Levine 
To: nanog@nanog.org
Subject: Re: Mailing list SPF Failure
SPF: NONE with IP 2001:1838:2001:8:0:0:0:20 Learn more
DKIM: 'FAIL' with domain iecc.com Learn more
DMARC: 'FAIL' Learn more

All 3 of these messages were delivered to my inbox as normal. The messages
from Scott and John provided warnings when hovering over the icon that the
user was not authenticated.


After the SPF record was fixed :

Message ID 
Created at: Thu, May 16, 2024 at 10:36 PM (Delivered after 68 seconds)
From: "John R. Levine" 
To: "Scott Q." 
Subject: Re: Mailing list SPF Failure
SPF: PASS with IP 50.31.151.76 Learn more
DKIM: 'PASS' with domain iecc.com Learn more
DMARC: 'PASS' Learn more

Message ID <
e47a1819deae8e7c8f592ab653c42...@polarismail--com.w.emailarray.com>
Created at: Thu, May 16, 2024 at 10:23 PM (Delivered after 180 seconds)
From: "Scott Q."  Using Group-Office
To: "John R. Levine" , William Herrin 
Subject: Re: Mailing list SPF Failure
SPF: PASS with IP 50.31.151.76 Learn more

The warnings were not present on these messages .

Google's support page if you click on those warnings it here :

https://support.google.com/mail/answer/180707

Where it states the following :

Check if a message is authenticated
>
> Important: Messages that aren't authenticated aren't necessarily spam.
> Sometimes authentication doesn't work for real organizations who send mail
> to big groups, like messages sent to mailing lists.
>

On Thu, May 16, 2024 at 10:46 PM Michael Thomas  wrote:

>
> On 5/16/24 7:36 PM, John R. Levine wrote:
> > I think a lot of us have nanog whitelisted or otherwise special cased.
>
> I don't and gmail is my backend. That's trivial falsification that lack
> of an SPF records alone will cause gmail rejects.
>
> Mike
>
> >
> > Also, it's been pumping out list mail for decades and I expect has a
> > close to zero complaint rate so even without the SPF ths IPs it sends
> > from have a good reputation.
> >
> > On Thu, 16 May 2024, Scott Q. wrote:
> >
> >> I'm surprised nobody noticed for close to 10 days. I was away
> >> from work and upon coming back I saw the little discussion there was ,
> >> in my Spam folder.
> >>
> >> On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
> >>
> >> On Thu, 16 May 2024, William Herrin wrote:
> >>> The message content (including the message headers) is theoretically
> >>> not used for SPF validation. In practice, some SPF validators don't
> >>> have direct access to the SMTP session so they rely on the SMTP
> >>> session placing the envelope sender in the Return-path header.
> >>
> >> But that wasn't the problem here, the SPF record was just
> >> gone.  Oops.
> >>
> >> I see that the SPF record is back and seems have the correct addresses
> >> so we can now return to our previously scheduled flamage.
>

Re: Mailing list SPF Failure

[Karl Auer]

On Thu, 2024-05-16 at 19:27 -0700, Michael Thomas wrote:
> On 5/16/24 7:22 PM, Scott Q. wrote:
> > Mike, you do realize Google/Gmail rejects e-mails with
> > invalid/missing SPF right ?
> 
> I was receiving the mail while NANOG had no SPF record, so no? Any 
> receiver would be really stupid take a single signal as
> disqualifying.

For small-scale senders, it's either or both. For large-scale senders
(5000+ per day) it's both.

At least according to this:

https://support.google.com/a/answer/81126

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au, he/him)
http://www.biplane.com.au/kauer

Re: Mailing list SPF Failure

[Michael Thomas]

On 5/16/24 7:36 PM, John R. Levine wrote:

I think a lot of us have nanog whitelisted or otherwise special cased.


I don't and gmail is my backend. That's trivial falsification that lack 
of an SPF records alone will cause gmail rejects.


Mike



Also, it's been pumping out list mail for decades and I expect has a 
close to zero complaint rate so even without the SPF ths IPs it sends 
from have a good reputation.


On Thu, 16 May 2024, Scott Q. wrote:


I'm surprised nobody noticed for close to 10 days. I was away
from work and upon coming back I saw the little discussion there was ,
in my Spam folder.

On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:

On Thu, 16 May 2024, William Herrin wrote:

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


But that wasn't the problem here, the SPF record was just
gone.  Oops.

I see that the SPF record is back and seems have the correct addresses
so we can now return to our previously scheduled flamage.

Re: Mailing list SPF Failure

[Tom Beecher]

>
> I'm surprised nobody noticed for close to 10 days.


Probably because it wasn't 10 days.

On Thu, May 16, 2024 at 10:26 PM Scott Q.  wrote:

> I'm surprised nobody noticed for close to 10 days. I was away from work
> and upon coming back I saw the little discussion there was , in my Spam
> folder.
>
> On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
>
> On Thu, 16 May 2024, William Herrin wrote:
> > The message content (including the message headers) is theoretically
> > not used for SPF validation. In practice, some SPF validators don't
> > have direct access to the SMTP session so they rely on the SMTP
> > session placing the envelope sender in the Return-path header.
>
> But that wasn't the problem here, the SPF record was just gone.  Oops.
>
> I see that the SPF record is back and seems have the correct addresses so
> we can now return to our previously scheduled flamage.
>
> Regards,
> John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
>
>

Re: Mailing list SPF Failure

[John R. Levine]

I think a lot of us have nanog whitelisted or otherwise special cased.

Also, it's been pumping out list mail for decades and I expect has a close 
to zero complaint rate so even without the SPF ths IPs it sends from have 
a good reputation.


On Thu, 16 May 2024, Scott Q. wrote:


I'm surprised nobody noticed for close to 10 days. I was away
from work and upon coming back I saw the little discussion there was ,
in my Spam folder.

On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:

On Thu, 16 May 2024, William Herrin wrote:

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


But that wasn't the problem here, the SPF record was just
gone.  Oops.

I see that the SPF record is back and seems have the correct addresses
so we can now return to our previously scheduled flamage.

Re: Mailing list SPF Failure

[Michael Thomas]

On 5/16/24 7:22 PM, Scott Q. wrote:
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing 
SPF right ?


I was receiving the mail while NANOG had no SPF record, so no? Any 
receiver would be really stupid take a single signal as disqualifying.


Mike




If you want to tell them they're broken...there's a few guys on the 
list here.


On Thursday, 16/05/2024 at 19:17 Michael Thomas wrote:

On 5/16/24 3:54 PM, William Herrin wrote:
> On Thu, May 16, 2024 at 12:03 PM John Levine mailto:jo...@iecc.com>> wrote:
>> It appears that Michael Thomas mailto:m...@mtcc.com>> said:
>>> Since probably 99% of the mail from NANOG is through this list, it
>>> hardly matters since SPF will always fail.
>> Sorry, but no. A mailing list puts its own envelope return
address on
>> the message so with a reasonable SPF record, SPF will normally
>> succeed.
> Exactly. SPF acts on the -envelope- sender. That means the one
> presented in the SMTP From:<> command. For mail from nanog, that's:
> nanog-bounces+addr...@nanog.org
, regardless of what the
sender's
> header From address is.
>
> The message content (including the message headers) is theoretically
> not used for SPF validation. In practice, some SPF validators don't
> have direct access to the SMTP session so they rely on the SMTP
> session placing the envelope sender in the Return-path header.

Yes, and why is that needed? The mailing list resigning has the same
effect and then you only need one mechanism instead of two and
with DKIM
you get the benefit that it's signing the 822 address which can be
used
for user level stuff in way that SPF is a little sus. So it makes SPF
pretty irrelevant. IMO, SPF was always a stopgap since there was no
guarantee that DKIM would be deployed. 20 years on, I guess I
don't feel
like I need to keep my trap shut about that.

If a receiving site is rejecting something solely based on the
lack of a
SPF record but has a valid DKIM signature, the site is broken IMO.

Mike

Re: Mailing list SPF Failure

[Scott Q.]

I'm surprised nobody noticed for close to 10 days. I was away
from work and upon coming back I saw the little discussion there was ,
in my Spam folder.

On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:



On Thu, 16 May 2024, William Herrin wrote:
> The message content (including the message headers) is theoretically
> not used for SPF validation. In practice, some SPF validators don't
> have direct access to the SMTP session so they rely on the SMTP
> session placing the envelope sender in the Return-path header.

But that wasn't the problem here, the SPF record was just
gone.  Oops.

I see that the SPF record is back and seems have the correct addresses
so 
we can now return to our previously scheduled flamage.

Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for
Dummies",
Please consider the environment before reading this e-mail.
https://jl.ly

Re: Mailing list SPF Failure

[Michael Thomas]

On 5/16/24 3:54 PM, William Herrin wrote:

On Thu, May 16, 2024 at 12:03 PM John Levine  wrote:

It appears that Michael Thomas  said:

Since probably 99% of the mail from NANOG is through this list, it
hardly matters since SPF will always fail.

Sorry, but no. A mailing list puts its own envelope return address on
the message so with a reasonable SPF record, SPF will normally
succeed.

Exactly. SPF acts on the -envelope- sender. That means the one
presented in the SMTP From:<> command. For mail from nanog, that's:
nanog-bounces+addr...@nanog.org, regardless of what the sender's
header From address is.

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


Yes, and why is that needed? The mailing list resigning has the same 
effect and then you only need one mechanism instead of two and with DKIM 
you get the benefit that it's signing the 822 address which can be used 
for user level stuff in way that SPF is a little sus. So it makes SPF 
pretty irrelevant. IMO, SPF was always a stopgap since there was no 
guarantee that DKIM would be deployed. 20 years on, I guess I don't feel 
like I need to keep my trap shut about that.


If a receiving site is rejecting something solely based on the lack of a 
SPF record but has a valid DKIM signature, the site is broken IMO.


Mike

Re: Mailing list SPF Failure

[John R. Levine]

On Thu, 16 May 2024, William Herrin wrote:

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


But that wasn't the problem here, the SPF record was just gone.  Oops.

I see that the SPF record is back and seems have the correct addresses so 
we can now return to our previously scheduled flamage.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Mailing list SPF Failure

[William Herrin]

On Thu, May 16, 2024 at 12:03 PM John Levine  wrote:
> It appears that Michael Thomas  said:
> >Since probably 99% of the mail from NANOG is through this list, it
> >hardly matters since SPF will always fail.
>
> Sorry, but no. A mailing list puts its own envelope return address on
> the message so with a reasonable SPF record, SPF will normally
> succeed.

Exactly. SPF acts on the -envelope- sender. That means the one
presented in the SMTP From:<> command. For mail from nanog, that's:
nanog-bounces+addr...@nanog.org, regardless of what the sender's
header From address is.

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.

Regards,
Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Mailing list SPF Failure

[John Levine]

It appears that Michael Thomas  said:
>On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
>> Appears there’s no SPF record at all now for nanog.org 
>> , which is not ideal…
>
>Since probably 99% of the mail from NANOG is through this list, it 
>hardly matters since SPF will always fail.

Sorry, but no. A mailing list puts its own envelope return address on
the message so with a reasonable SPF record, SPF will normally
succeed. (If the mail is subsequently forwarded SPF will fail, but
that's not unique to mailing lists.)

DKIM and DMARC do not get along with mailing lists, but SPF is OK, at
least as OK as SPF ever is.

tl;dr nanog needs to put back its SPF record. It'll make some systems
such as Gmail considerably more likely to accept the mail.

R's,
John

Re: Mailing list SPF Failure

[Michael Thomas]

On 5/16/24 8:59 AM, Scott Q. wrote:
Uhm, not really. An SPF failure is really bad even though DKIM works. 
It might depend what they do with DMARC but even so, there's no reason 
they can't just add that IP to their SPF record.


SPF has from day one been known to be broken with mailing lists. It's 
not "really bad", it's just what it is. There are other modes that SPF 
fails too like forwarding. Frankly I've tried to keep clear of "SPF is 
pointless", but it is actually pointless. It doesn't bring anything to 
the table that DKIM can't do better.


Mike

Re: Mailing list SPF Failure

[Scott Q.]

Uhm, not really. An SPF failure is really bad even though DKIM
works. It might depend what they do with DMARC but even so, there's no
reason they can't just add that IP to their SPF record.

>From what I see, it's been broken at least since May 6-7.


On Thursday, 16/05/2024 at 11:37 Michael Thomas wrote:









On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
 

 
Appears there’s no SPF record at all now for nanog.org [1], which is
not ideal…
 

 

Since probably 99% of the mail from NANOG is through this list, it
hardly matters since SPF will always fail. What is more important is
that they resign with DKIM so that receivers can use that identity.
SPF is for the most part belt and suspenders.




Mike









 




Kind regards, 
Peter Potvin 

 



On Thu, May 16, 2024 at 02:59 Bjørn Mork  wrote:
 

"Scott Q."  writes:

> Anyone else getting SPF failures on all messages sent to the list
> ?
>
> I see them all originating from 50.31.151.76 but nanog.org [1]'s
SPF
> record doesn't list that as allowed.

I see the same.  nanog.org [1] mail is originated from
2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is
currently

 "v=spf1 a include:_spf.google.com [2] ~all"

Neither of those are Google addresses so it's a soft fail.


Bjørn


   





Links:
--
[1] http://nanog.org
[2] http://spf.google.com

Re: Mailing list SPF Failure

[Michael Thomas]

On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
Appears there’s no SPF record at all now for nanog.org 
, which is not ideal…


Since probably 99% of the mail from NANOG is through this list, it 
hardly matters since SPF will always fail. What is more important is 
that they resign with DKIM so that receivers can use that identity. SPF 
is for the most part belt and suspenders.


Mike




Kind regards,
Peter Potvin


On Thu, May 16, 2024 at 02:59 Bjørn Mork  wrote:

"Scott Q."  writes:

> Anyone else getting SPF failures on all messages sent to the list
> ?
>
> I see them all originating from 50.31.151.76 but nanog.org
's SPF
> record doesn't list that as allowed.

I see the same. nanog.org  mail is originated from
2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is
currently

 "v=spf1 a include:_spf.google.com  ~all"

Neither of those are Google addresses so it's a soft fail.


Bjørn

Re: Mailing list SPF Failure

[Peter Potvin via NANOG]

Appears there’s no SPF record at all now for nanog.org, which is not ideal…

Kind regards,
Peter Potvin


On Thu, May 16, 2024 at 02:59 Bjørn Mork  wrote:

> "Scott Q."  writes:
>
> > Anyone else getting SPF failures on all messages sent to the list
> > ?
> >
> > I see them all originating from 50.31.151.76 but nanog.org's SPF
> > record doesn't list that as allowed.
>
> I see the same.  nanog.org mail is originated from
> 2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is
> currently
>
>  "v=spf1 a include:_spf.google.com ~all"
>
> Neither of those are Google addresses so it's a soft fail.
>
>
> Bjørn
>

Re: Mailing list SPF Failure

[Bjørn Mork]

"Scott Q."  writes:

> Anyone else getting SPF failures on all messages sent to the list
> ?
>
> I see them all originating from 50.31.151.76 but nanog.org's SPF
> record doesn't list that as allowed.

I see the same.  nanog.org mail is originated from
2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is
currently

 "v=spf1 a include:_spf.google.com ~all"

Neither of those are Google addresses so it's a soft fail.


Bjørn

Re: Mailing list SPF Failure

[Mel Beckman]

Let us see…

 -mel beckman

> On May 15, 2024, at 7:47 PM, Scott Q.  wrote:
> 
>  Anyone else getting SPF failures on all messages sent to the list ?
> 
> I see them all originating from 50.31.151.76 but nanog.org's SPF record 
> doesn't list that as allowed.
> 

Mailing list SPF Failure

[Scott Q.]

Anyone else getting SPF failures on all messages sent to the list
?

I see them all originating from 50.31.151.76 but nanog.org's SPF
record doesn't list that as allowed.