> On Apr 30, 2016, at 10:29 AM, <frnk...@iname.com> <frnk...@iname.com> wrote: > > Is this worth bringing up to the appropriate IETF group? Perhaps it could be > errata for RFC 7208 Section 5.4?
I think so, yes. The additions to that section over 4408 really don't make much sense as written and could do with some clarification. Cheers, Steve > > Frank > > -----Original Message----- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Steve Atkins > Sent: Friday, April 29, 2016 12:18 PM > To: mailop <mailop@mailop.org> > Subject: Re: [mailop] SPF check overly stringent? > > >> On Apr 29, 2016, at 9:52 AM, Frank Bulk <frnk...@iname.com> wrote: >> >> We're helping a customer (sigiowa.com) who's having issues sending emails to >> the USDA. Our email server logs this: >> Site usda.gov (2a01:111:f400:7c10::10) said after data sent: 450 >> 4.7.26 Service does not accept messages sent over IPv6 >> [2607:fe28:0:4000::20] unless they pass either SPF or DKIM validation >> (message not signed) >> >> Just this morning I changed their SPF record from this: >> "v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64 >> ip6:2607:fe28:0:4000::/64 ~all" >> to this: >> "v=spf1 ip4:96.31.0.0/24 ip6:2607:fe28:0:4000::20 >> ip6:2607:fe28:0:1000::/64 ip6:2607:fe28:0:4000::/64 ~all" >> >> I added in ip6:2607:fe28:0:4000::20 because I'm wondering if the USDA's >> system doesn't properly identify the sending IP of 2607:fe28:0:4000::20 as >> part of 2607:fe28:0:4000::/64. I also removed 'mx' because this tool >> (http://vamsoft.com/support/tools/spf-policy-tester) was failing on pulling >> the AAAA for each of the domain's four MX records. Try the vamsoft site >> with 2607:fe28:0:4000::20 and to see how sigiowa.com >> used to fail. > > http://tools.wordtothewise.com/spf/check/premieronline.net > > ... looks fine to me. > >> >> Is Vamsoft's check too stringent? > > More like "broken" - but I can see how RFC 7208 might make them think it's > correct behaviour if they didn't think about real-world use of DNS. > >> Does it seriously matter that it can't >> find the AAAA for the domain's four MX records? Shouldn't an SPF check for >> the domain's MX records just look for an A or AAAA? > > Cheers, > Steve > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
