Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-14 Thread Gellner, Oliver via mailop 

> On 12.06.2023 at 12:20 Andrew C Aitchison via mailop wrote:
>
> On Fri, 9 Jun 2023, Gellner, Oliver via mailop wrote:
>
 Does someone use those SPF tags or has any practical experience with
>> them and ever received some reports? Or do those tags only exist in
>> theory, like ruf in DMARC records?
>
> I am a one user domain; I get dmarc.rua reports most days.
> I received six dmarc.ruf reports in response to a message I sent
> to the enterprise firefox users list in April, and seventeen ruf reports so 
> far this year.
>
> dmarc.ruf reports are not common, but on a busy site there will be
> enough to need to have a policy for them.

Ok thanks. Maybe I‘ll revisit the DMARC failure reporting. When I checked it 
three years ago there was nothing useful coming in and no email service 
provider with a significant user base was using it.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-12 Thread Andrew C Aitchison via mailop 

On Fri, 9 Jun 2023, Gellner, Oliver via mailop wrote:


On 09.06.2023 at 09:36 Alessandro Vesely via mailop wrote:

RFC 6652 provides for setting ra= and rr= tags, which are
themselves flagged as errors by most SPF checking sites...


Does someone use those SPF tags or has any practical experience with
them and ever received some reports? Or do those tags only exist in
theory, like ruf in DMARC records?


I am a one user domain; I get dmarc.rua reports most days.
I received six dmarc.ruf reports in response to a message I sent
to the enterprise firefox users list in April, and seventeen ruf reports 
so far this year.


dmarc.ruf reports are not common, but on a busy site there will be
enough to need to have a policy for them.

I hadn't heard of the SPF tags before Friday.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-12 Thread Alessandro Vesely via mailop 

On Fri 09/Jun/2023 19:14:31 +0200 Slavko via mailop wrote:

Dňa 9. júna 2023 16:07:28 UTC používateľ Andrew C Aitchison via mailop 
 napísal:


I asked one of the checker websites about that and recieved the reply:
 RFC6652 is a proposed standard from 2012, but was replaced by DMARC in 2015.
 DMARC reports on both SPF and DKIM.


But that is their point of view, as RFC 6652 doesn't seem to 
be marked as obsolete or so...



Actually, DMARC failure reports (aka forensic reports) include just DMARC data; 
that is, whether it was DKIM or SPF which failed, along with relevant 
identifiers and their alignment.  RFC 7489 adds:


 Note that a failure report generator MAY also
   independently produce an AFRF message for any or all of the
   underlying authentication methods.

IME, few receivers produce failure reports and none of them add the underlying 
stuff.



Best
Ale
--





___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread Gellner, Oliver via mailop 

> On 09.06.2023 at 09:36 Alessandro Vesely via mailop wrote:
>
> RFC 6652 provides for setting ra= and rr= tags, which are themselves flagged 
> as errors by most SPF checking sites...

Does someone use those SPF tags or has any practical experience with them and 
ever received some reports? Or do those tags only exist in theory, like ruf in 
DMARC records?

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread Slavko via mailop 
Dňa 9. júna 2023 16:07:28 UTC používateľ Andrew C Aitchison via mailop 
 napísal:

>I asked one of the checker websites about that and recieved the reply:
>  RFC6652 is a proposed standard from 2012, but was replaced by DMARC in 2015.
>  DMARC reports on both SPF and DKIM.

But that is their point of view, as RFC 6652 doesn't seem to
be marked as obsolete or so...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread Andrew C Aitchison via mailop 


On Fri, 9 Jun 2023, Alessandro Vesely via mailop wrote:


On Fri 09/Jun/2023 07:37:06 +0200 Benoît Panizzon via mailop wrote:


If you don't care enough to publish a valid SPF record, why should we 
think you care whether we deliver your mail?


The customer in question used an ESP to send marketing emails. That ESP 
told him what host to include in his SPF record.


Probably some years later, that ESP changed domain and that include became 
invalid.



Anyone took care to alert them about that error?

RFC 6652 provides for setting ra= and rr= tags, which are themselves flagged 
as errors by most SPF checking sites...


I asked one of the checker websites about that and recieved the reply:
  RFC6652 is a proposed standard from 2012, but was replaced by DMARC in 2015.
  DMARC reports on both SPF and DKIM.

Benoît, does the domain in question receive DMARC reports ?

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry, invalidate the whole SPF entry?

2023-06-09 Thread Jaroslaw Rafa via mailop 
Dnia  9.06.2023 o godz. 12:29:46 Joel M Snyder via mailop pisze:
> If you want to spend an amusing few moments, try querying large
> organization's DNS records for TXT and count the number of "we had
> to put this in to verify a cert/web site/service" records that were
> added for one-time domain verification and are still in, years
> later. Sometimes there are enough that the record no longer fits in
> UDP and requires a TCP response...

It's off-topic, but doesn't Google re-verify the site periodically and thus
requires that the verification record be present all the time?

I had an impression (maybe wrong) that it does...
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry, invalidate the whole SPF entry?

2023-06-09 Thread Joel M Snyder via mailop 

Alessandro Vesely  possibly may have written:

>>> If you don't care enough to publish a valid SPF record, why should
>>> we think you care whether we deliver your mail?
>>
>> The customer in question used an ESP to send marketing emails.
>> That ESP told him what host to include in his SPF record.
>>
>> Probably some years later, that ESP changed domain and that include
>> became invalid.
>
>Anyone took care to alert them about that error?

In my experience, most organizations don't have a good handle on their 
public facing DNS (or their private, but that's a different issue), and 
making changes to these records is a process that the staff find fraught 
with confusion, career-ending moments, and fear.


The lack of self-documentation in the DNS ("Why did we put that in the 
DNS and who was responsible and do we still need it?") exacerbates the 
problem.


Fixing SPF records is not a simple thing in today's Internet-connected 
organizations.  Alerting them of these errors seems to increase entropy 
rather than reduce it.  Again, in my experience.


If you want to spend an amusing few moments, try querying large 
organization's DNS records for TXT and count the number of "we had to 
put this in to verify a cert/web site/service" records that were added 
for one-time domain verification and are still in, years later. 
Sometimes there are enough that the record no longer fits in UDP and 
requires a TCP response...


% dig TXT unhcr.org

; <<>> DiG 9.10.6 <<>> TXT unhcr.org

;; ANSWER SECTION:
unhcr.org.		300	IN	TXT 
"4dPjn0bLvSs+K1Q8VUB00xdR09jgiB5+coOxz3Av9vqDDYIYHPjyKl9KLiCCeD02xwqfVw19LtQ/gcVDIjgxDw=="

unhcr.org.  300 IN  TXT "591eoor52joegqskl9ac184iqd"
unhcr.org.  300 IN  TXT "5t8fcmfgf2nc2ndqaqs2pvdfcf"
unhcr.org.  300 IN  TXT "8h8bhm0dhut6hn1l4do8fn85jh"
unhcr.org.  300 IN  TXT 
"MS=3CE9D5FA6A0EB3B64A7A7A3F8D026EF18EA80952"
unhcr.org.  300 IN  TXT "MS=ms93905490"
unhcr.org.  300 IN  TXT "dt6emv4ipvnvvmv3noolv6o777"
unhcr.org.  300 IN  TXT "gimrcjfu91s3qfhkri8g0k58r6"
unhcr.org.		300	IN	TXT 
"google-site-verification=MLsLR2HAZQ9BMHTaAGabN7Y62_qNhrHX4F3N632MIUE"
unhcr.org.		300	IN	TXT 
"google-site-verification=mH2vWa5Es_J_duT7AnEGWVofbE3N4ShF72gG2du8R9k"

unhcr.org.  300 IN  TXT "iqtn0542llv1l0pnarfakldjpn"
unhcr.org.  300 IN  TXT "p05bsp32i1jsuk7ak49t2tc2lt"
unhcr.org.  300 IN  TXT "pj3c7mlmlrije8a3o6jqsruuc3"
unhcr.org.		300	IN	TXT 
"teamviewer-sso-verification=56587a1763d8457ba2d7de6b280aeb19"

unhcr.org.  300 IN  TXT "tho1nrl5f4k0t5d2j7cqp0jgm4"
unhcr.org.		300	IN	TXT	"v=spf1 include:spf.protection.outlook.com 
include:spf1.unicc.unicc.org include:spf1.unhcr.org -all"
unhcr.org.		300	IN	TXT 
"webexdomainverification.4C675B87D61AB136E053AB06FC0A3F65=15e740df-26f8-4339-b9d8-d119e4065d24"



% dig TXT mcdonalds.com

; <<>> DiG 9.10.6 <<>> TXT mcdonalds.com
; ANSWER SECTION:

mcdonalds.com.		3600	IN	TXT 
"amazonses:24YzB2l981UTyShDCxFnkb9onqr7EICEKxuiXuT0JsE="
mcdonalds.com.		3600	IN	TXT 
"amazonses:2yrtLrBZnUnx460KXwTUxZ01Ud5ZLaiIxLObRgOROXw="
mcdonalds.com.		3600	IN	TXT 
"amazonses:w61li6pZNv7ThE859iAQ4pB3r+/V0o3raZ+l+MjGGUM="
mcdonalds.com.		3600	IN	TXT 
"bu6vtqae5ivnlcygdwdv5tlv3ouelhgc._domainkey.us.mcdonalds.com 
bu6vtqae5ivnlcygdwdv5tlv3ouelhgc.dkim.amazonses.com"
mcdonalds.com.		3600	IN	TXT 
"facebook-domain-verification=kgdg0z0q8plsrhydjn7cfc4060qs7e"

mcdonalds.com.  3600IN  TXT 
"fcr34w4ydxvjlpfd378b6gy13sp70nl7"
mcdonalds.com.		3600	IN	TXT 
"globalsign-domain-verification=sQ-XKBfUo5JDJd8xvoOg94ZQ0q4WWtarHMUXPLXva-"
mcdonalds.com.		3600	IN	TXT 
"google-site-verification=8P1qbyxjsZuEtxjuD8vE7jaw73fnw7996n0mmon34wQ"
mcdonalds.com.		3600	IN	TXT 
"google-site-verification=dWgCJy1wnoMQHUrevkULexZ6C4F67zRJRyhd2BD_0JM"
mcdonalds.com.		3600	IN	TXT 
"google-site-verification=iBg7YjcBWxqMsH0VIfkAY9LwQ9Q6HNstaznRQmt-JBo"
mcdonalds.com.		3600	IN	TXT 
"i3ercugito3yrnvxyidnkrs3ronr4jyy._domainkey.us.mcdonalds.com 
i3ercugito3yrnvxyidnkrs3ronr4jyy.dkim.amazonses.com"

mcdonalds.com.  3600IN  TXT 
"m44vwjmxlvh26mg9nf08qshrn8rzy3s3"
mcdonalds.com.		3600	IN	TXT 
"m4gcv5ds4osmwyunlxglow4zhbi2av7n._domainkey.us.mcdonalds.com 
m4gcv5ds4osmwyunlxglow4zhbi2av7n.dkim.amazonses.com"
mcdonalds.com.		3600	IN	TXT	"v=spf1 include:spf.mailjet.com 
include:_spf.q4press.com include:amazonses.com include:_spf.tivian.com ~all"



--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
j...@opus1.comhttp://www.opus1.com/jms

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread John R Levine via mailop 

If you don't care enough to publish a valid SPF record, why should
we think you care whether we deliver your mail?


The customer in question used an ESP to send marketing emails.
That ESP told him what host to include in his SPF record.

Probably some years later, that ESP changed domain and that include
became invalid.


Quite possibly, but I don't see why that is anyone else's problem.  As I 
said, if you want people to accept your mail, act like you want people to 
accept your mail.  If you don't have the skills to do that, get help from 
someone who does.


If people make reasonable requests for help, that is fine, but don't 
expect people to work around stuff you can and should fix.


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread Alessandro Vesely via mailop 

On Fri 09/Jun/2023 07:37:06 +0200 Benoît Panizzon via mailop wrote:


If you don't care enough to publish a valid SPF record, why should 
we think you care whether we deliver your mail?


The customer in question used an ESP to send marketing emails. 
That ESP told him what host to include in his SPF record.


Probably some years later, that ESP changed domain and that include 
became invalid.



Anyone took care to alert them about that error?

RFC 6652 provides for setting ra= and rr= tags, which are themselves flagged as 
errors by most SPF checking sites...



Best
Ale
--








___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-08 Thread Benoît Panizzon via mailop 
Hi John

> If you don't care enough to publish a valid SPF record, why should
> we think you care whether we deliver your mail?

The customer in question used an ESP to send marketing emails.
That ESP told him what host to include in his SPF record.

Probably some years later, that ESP changed domain and that include
became invalid.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-08 Thread Lyndon Nerenberg (VE7TFX/VE6BBM) via mailop 
> IETF specs tell you what to do to interoperate, but deliberately don't
> spend a lot of time saying what to do if other people do it wrong.
> 
> If you don't care enough to publish a valid SPF record, why should
> we think you care whether we deliver your mail?

After dealing with this for many years I have found the best thing
to do is to pretend mal-formed records simply don't exist.  When
it comes to DNS records, falling back to the default behaviour
taken when the record isn't there in the first place is usually
the right thing to do.

--lyndon
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-08 Thread John Levine via mailop 
It appears that Benoit Panizzon via mailop  said:
>My customer claims an invalid include: renders the whole entry invalid
>causing some service provider to classify such emails as spam.

IETF specs tell you what to do to interoperate, but deliberately don't
spend a lot of time saying what to do if other people do it wrong.

If you don't care enough to publish a valid SPF record, why should
we think you care whether we deliver your mail?

R's,
John


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-06 Thread Mark Alley via mailop 
https://datatracker.ietf.org/doc/html/rfc7208#section-5.2

See the table at the bottom of the section regarding recursive check_host()
evaluation.

In this case, the recursive check_host() function returned "none" as a
result from the include mechanism, and therefore according to the table,
the parent check_host() function returns permerror as a result.

So your customer is correct.

-Mark Alley

On Tue, Jun 6, 2023, 2:42 AM Benoit Panizzon via mailop 
wrote:

> Hi List
>
> One more technical question after some discussion with one of our
> customers.
>
> Sender has SPF entry:
>
> "v=spf1 ip4:10.1.2.0/25 include:_spf.example.com -all"
>
> _spf.example.com either has no txt entry or just does not exist.
>
> So from my point of view, the SPF entry is still valid as it has at
> least one valid element which designates an ip range which wending is
> permitted.
>
> My customer claims an invalid include: renders the whole entry invalid
> causing some service provider to classify such emails as spam.
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-06 Thread Benoit Panizzon via mailop 
Hi List

One more technical question after some discussion with one of our
customers.

Sender has SPF entry:

"v=spf1 ip4:10.1.2.0/25 include:_spf.example.com -all"

_spf.example.com either has no txt entry or just does not exist.

So from my point of view, the SPF entry is still valid as it has at
least one valid element which designates an ip range which wending is
permitted.

My customer claims an invalid include: renders the whole entry invalid
causing some service provider to classify such emails as spam.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop