Hi there,
On Mon, 18 Feb 2013, Vernon Schryver wrote:
...
Recently I moved this domain(lcrcomputer.net) to a registrar that
suports DNSSEC and inserted the DS record for this domain. I checked
DNSSEC via http://dnsviz.net and
http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is working
just fine for lcrcomputer.net.
However, shortly after that one of my customers stopped receiving email
from one of their clients in China. They just brought that to my
attention and I tried to email the client in China and got this back:
For <ro...@xxxxx.com.cn> <mailto:ro...@medtecs.com.cn>, Site
(xxxxx.com.cn/<ipv4 address>) said: 559 sorry , your helo/ehlo and
domain in mail are invalid, you don't connect from there. (#5.5.9)
This looks like an SPF issue. It isn't possible to say for sure as
you've removed the information that's needed.
Your SPF record needs to be fixed anyway. Remove at least "mx" and
"ptr" and preferably "a" as well so that there are no unnecessary DNS
lookups when your SPF record is checked. Ideally a recipient server
needs only to know that the IP of the mail server sending the mail is
permitted to send mail on behalf of the domain to which the sending
server claims to belong. This is a very efficient means of detecting
mail forgery -- if only it is used correctly.
On Mon, 18 Feb 2013, Vernon Schryver wrote:
I've not tried p=none, but recent experiments with
300 TXT "v=spf1 mx -all"
Don't use 'mx' in SPF records.
I do have experience of having a domain name used in forged mail, and I
can guarantee that you don't want the same experience. Other than that
I'll avoid being drawn into an off-topic debate on the value of SPF.
--
73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
