Is this worth bringing up to the appropriate IETF group? Perhaps it could be errata for RFC 7208 Section 5.4?
Frank -----Original Message----- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Steve Atkins Sent: Friday, April 29, 2016 12:18 PM To: mailop <mailop@mailop.org> Subject: Re: [mailop] SPF check overly stringent? > On Apr 29, 2016, at 9:52 AM, Frank Bulk <frnk...@iname.com> wrote: > > We're helping a customer (sigiowa.com) who's having issues sending emails to > the USDA. Our email server logs this: > Site usda.gov (2a01:111:f400:7c10::10) said after data sent: 450 > 4.7.26 Service does not accept messages sent over IPv6 > [2607:fe28:0:4000::20] unless they pass either SPF or DKIM validation > (message not signed) > > Just this morning I changed their SPF record from this: > "v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64 > ip6:2607:fe28:0:4000::/64 ~all" > to this: > "v=spf1 ip4:96.31.0.0/24 ip6:2607:fe28:0:4000::20 > ip6:2607:fe28:0:1000::/64 ip6:2607:fe28:0:4000::/64 ~all" > > I added in ip6:2607:fe28:0:4000::20 because I'm wondering if the USDA's > system doesn't properly identify the sending IP of 2607:fe28:0:4000::20 as > part of 2607:fe28:0:4000::/64. I also removed 'mx' because this tool > (http://vamsoft.com/support/tools/spf-policy-tester) was failing on pulling > the AAAA for each of the domain's four MX records. Try the vamsoft site > with 2607:fe28:0:4000::20 and to see how sigiowa.com > used to fail. http://tools.wordtothewise.com/spf/check/premieronline.net ... looks fine to me. > > Is Vamsoft's check too stringent? More like "broken" - but I can see how RFC 7208 might make them think it's correct behaviour if they didn't think about real-world use of DNS. > Does it seriously matter that it can't > find the AAAA for the domain's four MX records? Shouldn't an SPF check for > the domain's MX records just look for an A or AAAA? Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
