(Please ignore my last message. My phone hit “send” randomly.) On Sep 28, 2018, at 9:48 AM EDT, bOnK wrote: > A better idea might be testing if SPF for a external domain would pass on > your own server. > This is what milter greylist does. > http://hcpnet.free.fr/milter-greylist/
That’s interesting! We’d definitely need to ensure external relays for such a rule in SA, though of course this’d also require some plugin dev work. Does anybody have stats on that? > Though probably exceptional, according to the RFC +all *can be* restrictive... > https://tools.ietf.org/html/rfc7208#appendix-A.4 > >> A.4. Multiple Requirements Example >> >> Say that your sender policy requires both that the IP address is >> within a certain range and that the reverse DNS for the IP matches. >> This can be done several ways, including the following: >> >> example.com. SPF ( "v=spf1 " >> "-include:ip4._spf.%{d} " >> "-include:ptr._spf.%{d} " >> "+all" ) >> ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all" >> ptr._spf.example.com. SPF "v=spf1 -ptr +all" >> >> This example shows how the "-include" mechanism can be useful, how an >> SPF record that ends in "+all" can be very restrictive, and the use >> of De Morgan's Law. This is amazing. And disgusting. And the only remotely legitimate usage of either the ptr mechanism or (separately) inanity like invoking De Morgan’s Law, and therefore also +all. The ptr mechanism in SPF is officially “do not use” right in the spec <https://tools.ietf.org/html/rfc7208#section-5.5>; PTR records aren’t vetted (any network operator can assign literally any rDNS to their IPs), so it trivializes forgery that would elicit an SPF pass. Using De Morgan to intersect ptr with an un-forgeable requirement alleviates the issues of ptr but it’s much less complicated to merely bless each one in the SPF record. Any (non-spammer) senders large enough to have issues fitting individual IPs in the max size of a record should definitely not delegate control of SPF to rDNS. They should instead better allocate their IP space for proper control by CIDR or else give up and use an Email Service Provider that actually knows what it’s doing 😉
