Re: [Wikitech-l] SPF (email spoof prevention feature) test-rollout Weds 10/5

Fri, 28 Sep 2012 11:19:18 -0700 


On Fri, 28 Sep 2012, Daniel Friesen wrote:


On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgr...@wikimedia.org> wrote:


I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org 
domain on Weds October 5. SPF is a framework for validating outgoing mail, 
which gives the receiving side useful information for spam filtering. The 
main goal is to cause spoofed @wikimedia.org mail to be correctly 
identified as such. It should also improve our odds of getting fundraiser 
mailings into inboxes rather than spam folders.



The change should not be noticeable, but the most likely problem would be 
legitimate @wikimedia.org mail being treated as spam. If you hear of this 
happening please let me know.


Technical details are below for anyone interested . . .

Thanks,
jg

Jeff Green
Operations Engineer, Special Projects
Wikimedia Foundation
149 New Montgomery Street, 3rd Floor
San Francisco, CA 94105
 jgr...@wikimedia.org

. . . . . . .

SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework


The October 8 change will be simply a matter of adding a TXT record to the 
wikimedia.org DNS zone:



wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 
ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"



The record is a list of subnets that we identify as senders (all wmf 
subnets, google apps, and the fundraiser mailhouse). The "?all" is a 
"neutral" policy--it doesn't state either way how mail should be handled.



Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, 
which tells the receiving side that only mail coming from the listed 
subnets is valid. Most ISPs will route 'other' mail to a spam folder based 
on SoftFail.



I was under the impression that ~all softfail is not an assertion that 
something is not authorized and the only way to actually assert that is with 
-all hardfail.



The distinction is essentially assert (-all) vs advise (~all). Ideally 
-all would result in a reject during SMTP, and ~all would be 
route-to-spam-folder. But I think what really happens is subjective to the 
receiving side.




Please bug me with any questions/comments!



--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l






















					Reply via email to