That little ~ is the part that gets me and I think opens it up to any IP
more than the parts before it. I always interpret ~ like a shoulder
shrug, so as to read this:
v=spf1 a mx ~all
Like this in english:
"I will only send mail from my A record or MX record, or pretty much
whatever man, mail from me might come from anywhere I dunno bro."
It just feels like someone got a little high halfway through their SPF
record and said "Where does any email come from really man?"
I'm joking around a bit but there's an ounce of truth to it. You should
always be confident enough in your SPF record to drop the ~ and toss in
the - instead. It's just so easy to get SPF right.
On 2022-09-29 12:02, Brandon Long via mailop wrote:
On Thu, Sep 29, 2022 at 7:32 AM Renaud Allard via mailop
<mailop@mailop.org> wrote:
On 9/29/22 15:27, Stefan Neufeind via mailop wrote:
Hi,
I recently came across an email being rejected by gmail.com [1]
with:
This message does not pass authentication checks (SPF and DKIM
both do
not pass). SPF check for [...] does not pass with ip: [...].
That email was not spam but authenticated to the mailserver
mentioned
(the ip given above), which is listed as MX for that domain etc.
There
was no SPF-record at that time. I'm now going to retry with an "as
basic
as possible" SPF-record. But does a SPF like
v=spf1 a mx ~all
have any real benefit? And if it does, why isn't it sufficient
that the
domain and ip listed above belong to the legitimate MX? Of course
that
IP had proper rDNS and all that.
With this kind of SPF record, there is no real benefit, apart from
having an SPF record which basically says: "we can send from any IP
in
the world". So, yes, _maybe_ you wouldn't get the gmail rejection
message, but that doesn't mean your mail will land anywhere nearby
the
inbox. But only google can tell you.
Why would you say this record is "any IP"? It's only IPs that match
the A and MX records
for the domain, that's a lot more restrictive than +all or some very
wide IP ranges.
Otherwise, agreed that yes, rDNS or just automatically trying a record
like the above as a fallback
is possible, spf is slightly more useful in terms of intent. One
major difference is in domain ownership,
a company may have rDNS for their entire fleet of machines, but that
doesn't mean all of them should
be sending mail, and a compromised machine could send mail as the
domain (it's not the only solution to
that problem). DNS is typically centrally managed, so central control
over who can send mail.
Another is the same old PSL issue, rDNS is rarely going to match the
exact domain, and sub-domain
matching can go awry. Obviously things like DMARC also rely on PSL,
so it seems unlikely this is the
reason.
Brandon
Links:
------
[1] http://gmail.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
