Re: [mailop] SPF record
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, 2017-05-21 at 12:02 -0500, frnk...@iname.com wrote: > Same here -- many of my customers, for example those who go to O365, > aren't > aware of the implications when they add Microsoft's suggested SPF > record, > and then wonder why some emails (originated from a non-O365 system) > aren't > being received. Fortunately our helpdesk is very attuned to these > issues > and can suggest tweaks to their SPF record to resolve the issue. https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx MS apparently thinks the SPF failures caused by forwarding are less important than the human failures caused by receiving forged mail. The cynic might think their commercial interests are advanced by such forwarding failures, adding pressure to move more clients into O365. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkh2QsACgkQL6j7milTFsFSYQCggtHJLIXl2FctBztbWSReX3qd hmQAniDUE1Vti5NYIU5ItBHFnlZlcZqq =vpEF -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
> On May 21, 2017, at 8:33 AM, ComKal Networks wrote: > > Hi, > > I use "-all" for my primary domain simply because we > don't use mobiles, outgrew them 17 years ago. All email > from my primary will only ever originate from my server. > My primary domain doesn't forward received emails to > anywhere else on receipt, and never will. One thing to also consider is that some of the places checking SPF screw it up. There’s a recent case of a very large ISP breaking their SPF checker. Instead of using the IP that connected to the MX as the source IP, the ISP used an internal handoff IP address as the source IP. Every single message sent to this IP failed SPF until they fixed it. This was widely known due to DMARC reporting, and there was absolutely nothing any sender could do to fix it. Luckily for most of us this ISP doesn’t reject solely on SPF failure. However, there was risk of emails with DMARC p=reject and no DKIM signature to be rejected due to a failed SPF record. This took the ISP in question quite a long time to fix - weeks, if not months. But it would have made perfect sense if the ISP in question stopped using SPF as a delivery criteria while their code was broken. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Yes. Can also use a wizard like spfwizard.com to generate Sent from my iPhone > On May 19, 2017, at 9:58 PM, Bryan Blackwell wrote: > > Hi folks, > > Please pardon the noob question, just want to make sure this is what a proper > SPF record should look like: > > example.org.IN TXT "v=spf1 mx ~all" > > --Bryan > > -- Bryan Blackwell -- > br...@skiblack.com > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
In article <100.10d30d0034b32159@comkal.com.au> you write: >Anyone forwards an email I've sent them, then the headers >will specify their sending domain so the SPF record for >my domain should be irrelevant. Good luck with that. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Same here -- many of my customers, for example those who go to O365, aren't aware of the implications when they add Microsoft's suggested SPF record, and then wonder why some emails (originated from a non-O365 system) aren't being received. Fortunately our helpdesk is very attuned to these issues and can suggest tweaks to their SPF record to resolve the issue. Frank -Original Message- From: SM [mailto:s...@elandnews.com] Sent: Sunday, May 21, 2017 10:25 AM To: frnk...@iname.com; mailop@mailop.org Cc: Kurt Jaeger Subject: RE: [mailop] SPF record Hi Frank, At 06:52 21-05-2017, frnk...@iname.com wrote: >Do you think the sending domain was not aware of that when they >wrote the policy? I have come across cases where the sending domain was not aware of the impact of its SPF policy. That does not mean that sending domains are not aware of what will happen because of their policies. Regards, -sm ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
On 21 May 2017, at 11:33, ComKal Networks wrote: Anyone forwards an email I've sent them, then the headers will specify their sending domain so the SPF record for my domain should be irrelevant. 1. SPF does not operate on any email headers. It operates on the SMTP envelope sender. RFC5321.MailFrom in RFC5598-ese. 2. Most traditional forwarding mechanisms (e.g. .forward files, sendmail & postfix aliases, etc.) DO NOT modify RFC5321.MailFrom. This causes SPF "-all" breakage when recipients forward mail. Such forwarding has been common among colleges & universities for alumni and for professional organizations such as the ACM. 3. There is a "Sender Rewritng Scheme" (SRS) specified in an ID (but never in a RFC) which can be used by forwarding MTAs to avoid SPF breakage, however it is relatively uncommon among systems that don't specialize in forwarding. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Hi Frank, At 06:52 21-05-2017, frnk...@iname.com wrote: Do you think the sending domain was not aware of that when they wrote the policy? I have come across cases where the sending domain was not aware of the impact of its SPF policy. That does not mean that sending domains are not aware of what will happen because of their policies. Regards, -sm ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Hi, I use "-all" for my primary domain simply because we don't use mobiles, outgrew them 17 years ago. All email from my primary will only ever originate from my server. My primary domain doesn't forward received emails to anywhere else on receipt, and never will. Anyone forwards an email I've sent them, then the headers will specify their sending domain so the SPF record for my domain should be irrelevant. My primary abuse@ email and the domain I use for my relatives and friends has "~all" because I only receive email for them and all there outgoing email goes via their ISP and/or mobile phones, there's main senders are in the SPF records but as they are liable to change.. A few other domains I host email for don't even have SPF records because it would be a dogs breakfast. So it is very much how you use domain(s) for email. It's just one part of a range of options and a part of other options. Cheers Ian Manners ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
On 21/05/2017 14:52, frnk...@iname.com wrote: sm, Do you think the sending domain was not aware of that when they wrote the policy? I think a lot of the disagreement comes from differing views on priorities. For some people, the danger of receiving forged messages is paramount, so rejecting messages that could potentially be forged (eg due to SPF failures) is important to them. For other people, the chance of lost messages (especially due to forwarding) is important, so you shouldn't reject based on SPF. I often hear people say that email is "broken" because it's easy for people to forge sender addresses, and I know it makes people more reluctant to rely on email. Unfortunately, MTA mail forwarding is very similar to forging a message (unless DKIM is also used) Personally, I think forwarding should have died out years ago, but it seems a hard habit to wean people off, despite it not working well in today's 'reputation-based' email system (any MTA which automatically forwards mail WILL forward spam). I know some people disagree with me. I think if you are running a common forward target (gmail, Hotmail, Yahoo etc or even a big ISP) then you should probably be more forgiving of SPF 'fail' results than a small mail server operator which is much less likely to have random people forwarding mail to them. Apart from forwarding, you often get mail administrators who haven't got a clue about how SPF works, and/or haven't got a clue about which mail servers may send mail from their domains. I know that compared to a year or two ago, we are now getting more and more people reporting deliverability problems of their own sent mail due to SPF errors they've made. This suggests to me that the general view is shifting towards "potentially forged messages are bad" and away from "deliver at all costs". Personally, I think I'd rather have SPF PermError or Fail generate delivery failure reports rather than just have messages end up being quarantined. At least that way the sender could have a chance to fix the problem rather than believing that their messages have been delivered successfully. Again, I realize people disagree with me. I'm not saying I'm right, just that that's my opinion. I certainly wouldn't configure a receiving mail server that way without the responsible people of the recipient domain agreeing and being aware of the consequences. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
sm, Do you think the sending domain was not aware of that when they wrote the policy? Frank -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of SM Sent: Sunday, May 21, 2017 8:13 AM To: Kurt Jaeger ; mailop@mailop.org Subject: Re: [mailop] SPF record Hi Kurt, At 05:25 21-05-2017, Kurt Jaeger wrote: >Can you tell more about this ? Why is '-all' bad ? You are assuming that when the message is delivered to the receiver, it will see a connection from the sending IP address. Regards, -sm ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Hi Kurt, At 05:25 21-05-2017, Kurt Jaeger wrote: Can you tell more about this ? Why is '-all' bad ? You are assuming that when the message is delivered to the receiver, it will see a connection from the sending IP address. Regards, -sm ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
Hi! Steve wrote: > "~all" is the smart policy to use; ignore those who tell you to > use "-all" or "?all". Can you tell more about this ? Why is '-all' bad ? -- p...@opsec.eu+49 171 3101372 3 years to go ! ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] SPF record
On Sat, 20 May 2017, Steve Atkins wrote: On May 20, 2017, at 2:13 PM, John Levine wrote: In article <3a8a3db1-a628-4cf5-add5-d2db22b5c...@blighty.com> you write: "~all" is the smart policy to use; ignore those who tell you to use "-all" or "?all". Not disagreeing, but what practical difference do you see between ~all softfail and ?all neutral ? There are a couple of differences. The directly operational one is that ~all is in much more common use, by senders of large quantities of generally wanted email, so I trust recipients to handle ~all in the way I'd expect. I don't have that confidence with ?all (or -all, come to that). That makes sense. The indirectly operational one is that "?all" implies (to me, at least, and I think others) that the generator of the SPF record is "testing" or hasn't faith in their SPF deployment, so suggesting that the remainder of the SPF record may not be accurate. That means that there's not the same level of positive signal associated with a ?all pass as with a ~all pass. Hmm. When I had an SPF record I ended with ?any to indicate that I didn't have much faith in SPF (and SRS) and to indicate that I believed that legitimate mail might well come from "anywhere". I saw "~all" as a soft-fail" and "?any" as a "soft-pass"; in both cases I am suggesting that you should use your judgement rather than mine, but with ?any I am saying that it definitely could be genuine. I use forwarding and expect others to forward messages I send to their users. In the end I decided that SPF isn't really compatible with forwarding and voted for a world with forwarding. -- Andrew C Aitchison ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop