Re: Any SPF Wizzes Out There?

Thu, 12 Aug 2010 15:39:29 -0700 

On Thu, Aug 12, 2010 at 4:04 PM, John Hornbuckle
<john.hornbuc...@taylor.k12.fl.us> wrote:
> Yeah, I've talked to their admin. He's sort of like me--Jack of all trades, 
> master
> of none. Doesn't seem to know much more about SPF than I do, so he's not
>  able to determine specifically why they're blocking us.

  Eh, what?  He doesn't know why his own systems are blocking you?

  >facepalm<

> By your description, the "none" may not be a problem.

  Hard to say.  Some systems do check where mail is coming from, to
see if the sending MX can also accept mail.  While that seems like a
reasonable thing to do, in practice large operators often have
separate inbound vs outbound MXes, and there's nothing in the RFCs
(that I'm aware of) which prohibits that.  So if the magical gremlin
which lives in the other admin's system (the one responsible for
rejecting your mail) is doing such a check, it could be the source of
trouble.

  Your SPF record certainly allows mail from the 74.125.149.209 IP
address.  That said, in a large system like Postini, there's no
guarantee that outbound mail will consistently originate from the same
IP address.

  I do note one irregularity in your SPF record.  Your SPF record says, in part:

        mx mx:exchange-edge.taylor.k12.fl.us

  The  "mx" directive means "All the IP addresses associated with all
the MX records associated with the given domain.  If no domain is
given, use the domain of the sender."

  So the first "mx" directive, with no domain given, looks at
<taylor.k12.fl.us.>, which is fine.  There are MX records there.

  The second "mx" directive says to do an MX lookup on
<mx:exchange-edge.taylor.k12.fl.us.>.  There are no MX records
associated with that domain.  The only record appears to be an A
record.  SPF explicitly prohibits "implicit MX", so that directive
will never match.  The SPF evaluation *should* move on to the next
directive, but maybe someone's SPF implementation is stopping there.

  I presume what you meant by <mx:exchange-edge.taylor.k12.fl.us> is
that your Exchange edge server is permitted to send mail.  If so, the
syntax should be <a:exchange-edge.taylor.k12.fl.us> (without the
chevrons).  The "a" directive means "All the IP addresses associated
with the given domain."

  You should probabbly fix that, even if it's not the cause of the
current problem.

-- Ben

Reply via email to