This is done with "v=spf1 ?all"A "null" SPF signature is same as no signature at all (same as if the SPF record didnt exist at all), which will pass your mail into your mailsystem, but the mail will not be explicity marked as genuine. A even better idea for your list subdomain is to make the SPF record low-TTL, and then use a script/webinterface or whatever to update the list of authorized IPs everytime you subscribe to a new mailing list.
Then you don't risk that your list subdomain become a phishing source due to that it allows fraudulent source adresses. Another thing is that your domain (not IP) risk getting on spam blocklists (RBL) if spam is found out to have a authorized SPF signature, which can happen if someone spoof your email domain.
-----Ursprungligt meddelande----- From: Robert Senger
Sent: Monday, May 25, 2015 3:50 PM To: postfix-users@postfix.org Subject: Need advice from SPF/DKIM/DMARC experts Hi all, this is not a Postfix specific question, but I hope I'll find some experts on that topic here ;) A long time ago I've implemented SPF/DKIM/DMARC signing/checking for the two domains served by my Postfix instance. As everything seemed to work fine, I recently moved from "permissive" to "strict" policies. I know that this breaks interoperability with most mailing list agents, and thus I've set up a subdomain with its own SPF/DKIM/DMARC settings which I want to use especially for mailing lists (like postfix-users@postfix.org). In fact, this email is a first test of my new setup ;) These are my new DNS settings for one of the domains and its subdomain: $ORIGIN microscopium.de. ; SMTP SPFIN TXT "v=spf1 +ip4:88.217.187.146 +ip6:2001:470:6d:976::1 -all" IN SPF "v=spf1 +ip4:88.217.187.146 +ip6:2001:470:6d:976::1 -all"
; SMTP DMARC_dmarc IN TXT "v=DMARC1; p=reject; sp=none; rua=mailto:postmas...@microscopium.de; ruf=mailto:postmas...@microscopium.de;";
; SMTP DKIM _domainkey IN TXT "o=-; r=postmas...@microscopium.de"mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6mbWGI0yAXY0IoxIvV1L5GXdGAErO7W9ZIqa+cFgTJSNz3sYb5dYFVlI32igQGbDmegFrpUOhApwhe59K+WPONoxggQ/kaJWQ3vkVET/z9zV4PWRwYqOWnJZzoWsS8H6N3775TYo47QI/Ie3X/FGX0D99wymhCwMDhU+G8st9Q+8PIgGQp38NuAx+" "hmuOKVBNAX6sVv7Ip3Lw6QNgRfKCFYbNFro982myjqnNEVQFim5+XCv7WRDuYOKnQM1ZXsHpjew96XmdeDMK6mhHz2R0K4RGnR1+GFS3DoXiodfMvp4CKTAL96Pi7TtyPSBYnth2I989Zbs6CWNxNiGnFqVKwIDAQAB"
_adsp._domainkey IN TXT "dkim=discardable"
$ORIGIN lists.microscopium.de.
; SMTP SPF
IN TXT "v=spf1 +all"
IN SPF "v=spf1 +all"
; SMTP DMARC
_dmarc IN TXT "v=DMARC1; p=reject;
rua=mailto:postmas...@microscopium.de;
ruf=mailto:postmas...@microscopium.de;";
; SMTP DKIM _domainkey IN TXT "o=-; r=postmas...@microscopium.de"mail._domainkey IN TXT "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Sw5pD8imtRZ3HzKPMbT99BPW2fCqWCTMAEwl5UMYAefgpDS8xzI0f8BX3eY2mgHNid9B18fujUtIPhykuEwMq2XVcoC+5uljr2jmLuaQwIPth2A/A4mtSMABvZmR/2wS96iY6oshHRaAciXtsS0G3vw3BU+8ga5OWg30C6C6H/8QbDjfczQZMaN+qVTYh3xPldTKQaFOIMPS7" "/eIBrQGXUXw1uV5DcAZX3OKqrBbD54vc9lBdGdcg/qAANZQWWn+EjZq7mQ6Szcq0jHKdAId4clcE6QRUfZOJHlbIQteo0ngOJ5gCrsyPO+GxAgQhql91xJMg3S9W9KIen/GYWB6wIDAQAB"
_adsp._domainkey IN TXT "dkim=discardable" In my understanding, for mail sent from the subdomain to a mailing list, any final recipients DKIM check should result in "pass" (as the original DKIM signature is still present), and SPF check should also result in "pass" as the SPF "v=spf1 +all" statement allows any ip (which now is the ip of the mailing list MTA, not mine) as sender for the subdomain. But I am a bit uncertain about how the SPF/DKIM/DMARC settings of the parent domain impact the subdomain. Is that a good/working/safe setup, or am I doing anything stupid/nasty here? Thanks for help, Robert -- Robert Senger
smime.p7s
Description: S/MIME Cryptographic Signature
