subject:"\[mailop\] SPF recommendations \(was\: Re\: Earthlink trouble with our PTR\)"

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-15 Thread Al Iverson

You're not wrong. I would only say say that perhaps this makes -all
harmless versus something one truly needs to worry about or avoid.

There's a lot of past, quite possibly bogus, guidance where we were
all pushed as ESP senders to implement -all, given the impression that
once upon a time it provided an indirect deliverability boost in some
places. Inertia is strong.

I still personally want -all for myself, because I think there are
possibly a lot of third or fourth tier smaller ISPs, and hobbyists,
and non-US ISPs, that perhaps have SPF support but aren't there with
DMARC yet.

Cheers,
Al Iverson

On Thu, Dec 14, 2017 at 5:28 PM, Brandon Long  wrote:
> My point is that -all is policy, and most people ignore the policy portions
> of SPF because it completely fails a lot of forwarding cases.
>
> -all is asking receivers to reject mail that doesn't pass.
>
> ~all isn't policy.
>
> In practice, very few receivers implement SPF policy (except -all by itself
> for domains which don't send mail as a special case).
>
> Maybe there are some smaller receivers who will pay attention to it, but
> you're almost certainly going to get more false positives from them than
> real positives.  And you won't even notice.
>
> If you want policy, use DMARC, it's what it's there for, and these things
> are considered.  As much as DMARC rightly gets pushback for the parts of
> forwarding it fails at, it's definitely more useful for policy goals, and
> has much wider adoption.
>
> DKIM, for example, explicitly says that a DKIM fail means nothing.  Which
> doesn't prevent folks from rejecting messages with broken DKIM signatures,
> probably the same folks who follow
> -all.
>
> Brandon
>
>
> On Thu, Dec 14, 2017 at 12:17 PM Al Iverson  wrote:
>>
>> On Thu, Dec 14, 2017 at 2:14 PM, Brandon Long via mailop
>>  wrote:
>> >
>> > On Thu, Dec 14, 2017 at 11:09 AM Jim Popovitch  wrote:
>> >>
>> >> On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
>> >>  wrote:
>> >> >
>> >> > In fact, you should not use "-all" for your mail domain if you care
>> >> > about deliverability.
>> >>
>> >> FALSE!  (Also, you should not randomly add CC recipients to the same
>> >> mailinglist that you are responding to)
>> >>
>> >> Aside from a few HUGE providers, those with very large and disparate
>> >> networks/offices/topology
>> >>
>> >> -all means that the domain operator knows what they are doing, knows
>> >> what their network consists of and how email is routed within their
>> >> network.  It further states that the -all publisher has committed to
>> >> staying abreast of what happens in their environment in order to
>> >> assure their IP space is properly routing email.  It instills
>> >> confidence.
>> >>
>> >> ~all is just plain lazy, and is akin to saying that you don't have
>> >> confidence in your ability to own and control your own network; and
>> >> you want others to spend some level of time/money (in the form of CPU
>> >> cycles) analyzing email emitted from your network to determine it's
>> >> suitability for deliverability.
>> >
>> > Or, it acknowledges the fact that the people you send mail to may
>> > forward
>> > that
>> > mail, and trying to control that is silly.
>>
>> Yeah, but a fail doesn't magically turn into a pass if you turn -all into
>> ~all.
>>
>> I don't think either is a universal use case, but I see good reasons
>> for both ways and it depends on what type of company and mail sender
>> you are. For me, I think -all makes a lot of sense for marketing
>> senders and folks really worried about phishing/spoofing. And I see
>> lots of -all mail get forwarded just fine, thanks to, for example, the
>> fine folks at Google who write the return path when forwarding. :)
>>
>> Old school forwarding is still a pain even if you pull SPF out of the
>> equation, no?
>>
>> Cheers,
>> Al
>>
>> --
>> al iverson // wombatmail // miami
>> http://www.aliverson.com
>> http://www.spamresource.com
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



-- 
al iverson // wombatmail // miami
http://www.aliverson.com
http://www.spamresource.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Jim Popovitch

On Thu, Dec 14, 2017 at 8:07 PM, Bill Cole
 wrote:
> On 14 Dec 2017, at 14:01 (-0500), Jim Popovitch wrote:
>
>> Aside from a few HUGE providers, those with very large and disparate
>> networks/offices/topology
>
>
> SPF isn't related to the complexity of a network, but control of users using
> a domain name, which is a very different thing.

Forget about users, think IoT devices.   ~all makes it easy for a
hacked device to send emails using your domain.

>> -all means that the domain operator knows what they are doing,
>
>
> No, it means they know what their users do.

Not every network or domain is used as a mailbox provider.

> Or that they THINK they do.
>
>> knows
>> what their network consists of and how email is routed within their
>> network.  It further states that the -all publisher has committed to
>> staying abreast of what happens in their environment in order to
>> assure their IP space is properly routing email.  It instills
>> confidence.
>
>
> There continue to be sites that do traditional ~/.forward-style transparent
> SMTP forwarding, which preserves the envelope sender as received. There
> continue to be websites which give users the ability to send content to
> others which use the address of the user initiating the action as the
> envelope sender, so that bounces go to the person who might care.
>
> Last I checked, it was frowned upon for sysadmins to execute users who
> obliviously violate a SPF '-all' policy by mailing a 'wrong' person or using
> a 'wrong' 3rd-party system.
>
>
>> ~all is just plain lazy, and is akin to saying that you don't have
>> confidence in your ability to own and control your own network;
>
>
> You keep using that word. I do not think it means what you think it means.

Ahh, a Princess Bride fan...

> If you consider users to be a subordinate part of a "network" then no
> "network" is controllable or should be.

No, that's not what I'm saying.  Forget about users, think spambot
infested devices on your network (or on someone else's network using
your domain).

>> and
>> you want others to spend some level of time/money (in the form of CPU
>> cycles) analyzing email emitted from your network to determine it's
>> suitability for deliverability.
>
>
> There you go saying "your network" again, yet fundamentally '~all' says 'my
> users might cause mail using my domain name to come from networks OTHER THAN
> mine.' Which is true of almost any significant set of users. Mail actually
> from the domain owner's network properly will be authenticated by what comes
> BEFORE the '~all' default.

Of course, but we're not really discussing what comes before the ~all
or-all, rather what comes after the properly identified network
resources listed in the SPF RR.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Bill Cole


On 14 Dec 2017, at 14:01 (-0500), Jim Popovitch wrote:


Aside from a few HUGE providers, those with very large and disparate
networks/offices/topology


SPF isn't related to the complexity of a network, but control of users 
using a domain name, which is a very different thing.



-all means that the domain operator knows what they are doing,


No, it means they know what their users do.

Or that they THINK they do.


knows
what their network consists of and how email is routed within their
network.  It further states that the -all publisher has committed to
staying abreast of what happens in their environment in order to
assure their IP space is properly routing email.  It instills
confidence.


There continue to be sites that do traditional ~/.forward-style 
transparent SMTP forwarding, which preserves the envelope sender as 
received. There continue to be websites which give users the ability to 
send content to others which use the address of the user initiating the 
action as the envelope sender, so that bounces go to the person who 
might care.


Last I checked, it was frowned upon for sysadmins to execute users who 
obliviously violate a SPF '-all' policy by mailing a 'wrong' person or 
using a 'wrong' 3rd-party system.




~all is just plain lazy, and is akin to saying that you don't have
confidence in your ability to own and control your own network;


You keep using that word. I do not think it means what you think it 
means.


If you consider users to be a subordinate part of a "network" then no 
"network" is controllable or should be.



and
you want others to spend some level of time/money (in the form of CPU
cycles) analyzing email emitted from your network to determine it's
suitability for deliverability.


There you go saying "your network" again, yet fundamentally '~all' says 
'my users might cause mail using my domain name to come from networks 
OTHER THAN mine.' Which is true of almost any significant set of users. 
Mail actually from the domain owner's network properly will be 
authenticated by what comes BEFORE the '~all' default.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Brandon Long via mailop

My point is that -all is policy, and most people ignore the policy portions
of SPF because it completely fails a lot of forwarding cases.

-all is asking receivers to reject mail that doesn't pass.

~all isn't policy.

In practice, very few receivers implement SPF policy (except -all by itself
for domains which don't send mail as a special case).

Maybe there are some smaller receivers who will pay attention to it, but
you're almost certainly going to get more false positives from them than
real positives.  And you won't even notice.

If you want policy, use DMARC, it's what it's there for, and these things
are considered.  As much as DMARC rightly gets pushback for the parts of
forwarding it fails at, it's definitely more useful for policy goals, and
has much wider adoption.

DKIM, for example, explicitly says that a DKIM fail means nothing.  Which
doesn't prevent folks from rejecting messages with broken DKIM signatures,
probably the same folks who follow
-all.

Brandon


On Thu, Dec 14, 2017 at 12:17 PM Al Iverson  wrote:

> On Thu, Dec 14, 2017 at 2:14 PM, Brandon Long via mailop
>  wrote:
> >
> > On Thu, Dec 14, 2017 at 11:09 AM Jim Popovitch  wrote:
> >>
> >> On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
> >>  wrote:
> >> >
> >> > In fact, you should not use "-all" for your mail domain if you care
> >> > about deliverability.
> >>
> >> FALSE!  (Also, you should not randomly add CC recipients to the same
> >> mailinglist that you are responding to)
> >>
> >> Aside from a few HUGE providers, those with very large and disparate
> >> networks/offices/topology
> >>
> >> -all means that the domain operator knows what they are doing, knows
> >> what their network consists of and how email is routed within their
> >> network.  It further states that the -all publisher has committed to
> >> staying abreast of what happens in their environment in order to
> >> assure their IP space is properly routing email.  It instills
> >> confidence.
> >>
> >> ~all is just plain lazy, and is akin to saying that you don't have
> >> confidence in your ability to own and control your own network; and
> >> you want others to spend some level of time/money (in the form of CPU
> >> cycles) analyzing email emitted from your network to determine it's
> >> suitability for deliverability.
> >
> > Or, it acknowledges the fact that the people you send mail to may forward
> > that
> > mail, and trying to control that is silly.
>
> Yeah, but a fail doesn't magically turn into a pass if you turn -all into
> ~all.
>
> I don't think either is a universal use case, but I see good reasons
> for both ways and it depends on what type of company and mail sender
> you are. For me, I think -all makes a lot of sense for marketing
> senders and folks really worried about phishing/spoofing. And I see
> lots of -all mail get forwarded just fine, thanks to, for example, the
> fine folks at Google who write the return path when forwarding. :)
>
> Old school forwarding is still a pain even if you pull SPF out of the
> equation, no?
>
> Cheers,
> Al
>
> --
> al iverson // wombatmail // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Al Iverson

On Thu, Dec 14, 2017 at 2:14 PM, Brandon Long via mailop
 wrote:
>
> On Thu, Dec 14, 2017 at 11:09 AM Jim Popovitch  wrote:
>>
>> On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
>>  wrote:
>> >
>> > In fact, you should not use "-all" for your mail domain if you care
>> > about deliverability.
>>
>> FALSE!  (Also, you should not randomly add CC recipients to the same
>> mailinglist that you are responding to)
>>
>> Aside from a few HUGE providers, those with very large and disparate
>> networks/offices/topology
>>
>> -all means that the domain operator knows what they are doing, knows
>> what their network consists of and how email is routed within their
>> network.  It further states that the -all publisher has committed to
>> staying abreast of what happens in their environment in order to
>> assure their IP space is properly routing email.  It instills
>> confidence.
>>
>> ~all is just plain lazy, and is akin to saying that you don't have
>> confidence in your ability to own and control your own network; and
>> you want others to spend some level of time/money (in the form of CPU
>> cycles) analyzing email emitted from your network to determine it's
>> suitability for deliverability.
>
> Or, it acknowledges the fact that the people you send mail to may forward
> that
> mail, and trying to control that is silly.

Yeah, but a fail doesn't magically turn into a pass if you turn -all into ~all.

I don't think either is a universal use case, but I see good reasons
for both ways and it depends on what type of company and mail sender
you are. For me, I think -all makes a lot of sense for marketing
senders and folks really worried about phishing/spoofing. And I see
lots of -all mail get forwarded just fine, thanks to, for example, the
fine folks at Google who write the return path when forwarding. :)

Old school forwarding is still a pain even if you pull SPF out of the
equation, no?

Cheers,
Al

-- 
al iverson // wombatmail // miami
http://www.aliverson.com
http://www.spamresource.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Brandon Long via mailop

On Thu, Dec 14, 2017 at 11:09 AM Jim Popovitch  wrote:

> On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
>  wrote:
> >
> > In fact, you should not use "-all" for your mail domain if you care
> > about deliverability.
>
> FALSE!  (Also, you should not randomly add CC recipients to the same
> mailinglist that you are responding to)
>
> Aside from a few HUGE providers, those with very large and disparate
> networks/offices/topology
>
> -all means that the domain operator knows what they are doing, knows
> what their network consists of and how email is routed within their
> network.  It further states that the -all publisher has committed to
> staying abreast of what happens in their environment in order to
> assure their IP space is properly routing email.  It instills
> confidence.
>
> ~all is just plain lazy, and is akin to saying that you don't have
> confidence in your ability to own and control your own network; and
> you want others to spend some level of time/money (in the form of CPU
> cycles) analyzing email emitted from your network to determine it's
> suitability for deliverability.
>

Or, it acknowledges the fact that the people you send mail to may forward
that
mail, and trying to control that is silly.

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Jim Popovitch

On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
 wrote:
>
> In fact, you should not use "-all" for your mail domain if you care
> about deliverability.

FALSE!  (Also, you should not randomly add CC recipients to the same
mailinglist that you are responding to)

Aside from a few HUGE providers, those with very large and disparate
networks/offices/topology

-all means that the domain operator knows what they are doing, knows
what their network consists of and how email is routed within their
network.  It further states that the -all publisher has committed to
staying abreast of what happens in their environment in order to
assure their IP space is properly routing email.  It instills
confidence.

~all is just plain lazy, and is akin to saying that you don't have
confidence in your ability to own and control your own network; and
you want others to spend some level of time/money (in the form of CPU
cycles) analyzing email emitted from your network to determine it's
suitability for deliverability.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

2017-12-14 Thread Vladimir Dubrovin via mailop


> If you want to be a good neighbour, you should have a restrictive (not
> ~all) SPF

This is quite common misconception. In fact, you should not use "-all"
for your mail domain if you care about deliverability.
You can find this fact and many more SPF misconceptions explained here:
https://hackernoon.com/myths-and-legends-of-spf-d17919a9e817


14.12.2017 17:45, Renaud Allard via mailop пишет:
> If you want to be a good neighbour, you should have a restrictive (not
> ~all) SPF, DMARC, DKIM and a FcRDNS coherent with your HELO. If you have
> all that, you should be able to send to anyone (besides hotmail).
> Obviously, you should also not be in any major blacklists.
>
> On 12/14/2017 03:27 PM, Ryan Prihoda wrote:
>> What about SPF, DMARC, DKIM ? I am sending 250k/day and only Earthlink
>> seems to care. How many checks are actually necessary ?
>>
>> -Ryan
>>
>> On 12/13/2017 03:32 PM, Vladimir Dubrovin via mailop wrote:
>>>
>>> Not only Earthlink cares, it's a standard procedure.
>>> This validation confirms your IP really belongs to the domain.
>>> This is standard validation for PTR everyone does, without this
>>> validation you can set PTR to arbitrary domain (e.g. example.com). Not
>>> everyone rejects messages based on this check, but it's also an
>>> option, see e.g.
>>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>>>
>>>
>>> 14.12.2017 0:02, Ryan Prihoda пишет:
 William,

 Yes our PTR is set correctly, but our domain does resolve to a
 different IP. Why does only Earthlink care about that ? Seems silly.

 Sincerely,

 *Ryan Prihod**a
 *Systems Administrator


 *dyna**ConnectionsCorp.
 *1101 S. Capital of TX Hwy.
 Bldg. H, Suite 130
 Austin, Texas 78746
 rprih...@dynaconnections.com 
 www.dynaconnections.com 


 On 12/13/2017 02:47 PM, W Kern wrote:
> its misleading.
>
> We saw that a few weeks ago.
>
> Make sure the FQDN you reverse zone file provides, also resolves
> back to the same IP.
>
> We were just as confused. The PTR was there, but because of a typo
> it didn't resolve.
>
> Fixed that and Earthlink was happy.
>
> Sincerely,
>
> William Kern
>
> Pixelgate Networks.
>
>
> On 12/13/2017 12:21 PM, Ryan Prihoda wrote:
>> Hello all,
>>
>> We are getting errors from one of our servers.
>>
>> 550 ERROR: No or mismatched reverse DNS (PTR) entries
>>
>> When, in fact there is only one record for that IP. Can anyone from
>> Earthlink look into this for us ?
>>
>> Sincerely,
>>
>> *Ryan Prihod**a
>> *Systems Administrator
>>
>>
>> *dyna**ConnectionsCorp.
>> *1101 S. Capital of TX Hwy.
>> Bldg. H, Suite 130
>> Austin, Texas 78746
>> rprih...@dynaconnections.com 
>> www.dynaconnections.com 
>>
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


 ___
 mailop mailing list
 mailop@mailop.org
 https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>>
>>> -- 
>>> Vladimir Dubrovin
>>> @Mail.Ru
>>>
>>>
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Vladimir Dubrovin
@Mail.Ru

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

Re: [mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

[mailop] SPF recommendations (was: Re: Earthlink trouble with our PTR)

8 matches

Site Navigation

Mail list logo

Footer information