Mailing List Archive

Problem getting python-policyd-spf to reject on Permerror
I would like to up my SPF game a bit and provide feedback to those who don't have a misconfigured SPF record. I have enabled debugging and only see an action of prepending the AR header.

postfix-3.0.5-1.el6.x86_64
python-pyspf-2.0.11-1.el6.noarch

/etc/python-policyd-spf/policyd-spf.conf
debugLevel = 5
defaultSeedOnly = 1
HELO_reject = False
Mail_From_reject = Fail
No_Mail = False
PermError_reject = True
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
Whitelist = 96.4.1.0/26,96.5.1.0/26
Header_Type = AR


Dec 14 10:21:30 mr3 policyd-spf[33206]: Starting

Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "request=smtpd_access_policy"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "protocol_state=RCPT"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "protocol_name=SMTP"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "client_address=129.176.115.3"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "client_name=ropebs021a.mayo.edu"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "client_port=32657"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "reverse_client_name=ropebs021a.mayo.edu"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "helo_name=listmanager.mayoclinic.com"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "sender=bounce-16651308-108450563@listmanager.mayoclinic.com"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "recipient=Jbrandon@example.com"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "recipient_count=0"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "queue_id="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "instance=8139.5a32a50a.b16c8.0"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "size=0"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "etrn_domain="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "stress="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "sasl_method="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "sasl_username="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "sasl_sender="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "ccert_subject="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "ccert_issuer="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "ccert_fingerprint="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "ccert_pubkey_fingerprint="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "encryption_protocol="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "encryption_cipher="
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: "encryption_keysize=0"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Read line: ""
Dec 14 10:21:30 mr3 policyd-spf[33206]: Found the end of entry
Dec 14 10:21:30 mr3 policyd-spf[33206]: Config: {'Mail_From_reject': 'Fail', 'Void_Limit': 2, 'Header_Type': 'AR', 'No_Mail': 'False', 'PermError_reject': 'True', 'Lookup_Time': 20, 'Authserv_Id': 'smtp4n.ena.net', 'defaultSeedOnly': 1, 'debugLevel': 5, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'HELO_reject': 'False', 'Whitelist': '96.4.1.0/26,96.5.1.0/26', 'TempError_Defer': 'False'}
Dec 14 10:21:30 mr3 policyd-spf[33206]: Cached data for this instance: []
Dec 14 10:21:30 mr3 policyd-spf[33206]: spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: Unknown mechanism found: -all;', 'helo']"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Permerror; identity=helo; client-ip=129.176.115.3; helo=listmanager.mayoclinic.com; envelope-from=bounce-16651308-108450563@listmanager.mayoclinic.com; receiver=jbrandon@example.com
Dec 14 10:21:30 mr3 policyd-spf[33206]: Header type: AR; Authres ID (for AR): smtp4n.ena.net
Dec 14 10:21:30 mr3 policyd-spf[33206]: spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: Unknown mechanism found: -all;', 'mailfrom']"
Dec 14 10:21:30 mr3 policyd-spf[33206]: Permerror; identity=mailfrom; client-ip=129.176.115.3; helo=listmanager.mayoclinic.com; envelope-from=bounce-16651308-108450563@listmanager.mayoclinic.com; receiver=jbrandon@example.com
Dec 14 10:21:30 mr3 policyd-spf[33206]: Action: prepend: Text: Authentication-Results: smtp4n.ena.net; spf=permerror (SPF Permanent Error: Unknown mechanism found: -all;) smtp.mailfrom=listmanager.mayoclinic.com (client-ip=129.176.115.3; helo=listmanager.mayoclinic.com; envelope-from=bounce-16651308-108450563@listmanager.mayoclinic.com; receiver=jbrandon@example.com)


How do I get the action above to reject instead of adding a header?

Thanks,

Dave




-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214114528:2EE7C12E-E0EE-11E7-BD33-B265945AA1FE
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
Hi,

I am not 100% sure, what you are looking for. But according to your SPF DNS setup, something seems strange:

./dnstxt smtp4n.ena.net
v=spf1 a -all

I would expect to see:

mx a:smtp4n.ena.net

Pease check. A syntactically correct answer would be:

/dnstxt fehcom.de
v=spf1 ip4:85.25.149.179/32 ip6:2001:470:1f0a:58c::2/64 -all

Regards.
--eh.

PS: I'm using s/qmail's SPF capabilities (of course).


> Am 14.12.2017 um 17:45 schrieb David Jones via spf-devel <spf-devel@listbox.com>:
>
> lts: smtp4n.ena.net; spf=pe

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: EE00CF65







-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214120006:36F3D630-E0F0-11E7-B8F5-E7F0B424F0CA
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 10:59 AM, Erwin Hoffmann wrote:
> Hi,
>

You are referring to outbound mail SPF checks and my question is about
inbound SPF actions.

> I am not 100% sure, what you are looking for. But according to your SPF DNS setup, something seems strange:
>
> ./dnstxt smtp4n.ena.net
> v=spf1 a -all
>

My mail filters/relays do not source/originate any emails other than
bounces so this is correct. If you specify "a" in your SPF record, then
the email's envelope-from domain is used which is correct.

http://www.openspf.org/SPF_Record_Syntax

> I would expect to see:
>
> mx a:smtp4n.ena.net
>

I don't need "mx" because this server's outbound email doesn't have an
MX record. I don't receive email for *@smtp4n.ena.net.

As mentioned above, the "a" is fine.

One shouldn't blindly put "mx" in their SPF record if their outbound
email doesn't go out the same servers/IPs as their inbound MX flow. The
"mx" should only be used in very simple mail flows and is commonly misused.

> Pease check. A syntactically correct answer would be:
>
> /dnstxt fehcom.de
> v=spf1 ip4:85.25.149.179/32 ip6:2001:470:1f0a:58c::2/64 -all
>

The official SPF record that we and our customers use is
"include:_spf.ena.net" like you would see for this email from ena.com:

"v=spf1 include:_spf.ena.net include:spf.protection.outlook.com -all"

Again, this is all outbound and my question was for an inbound problem.

Thank you anyway.

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214123606:41912958-E0F5-11E7-ADD5-B80AC8EC2AC8
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On Thursday, December 14, 2017 04:45:14 PM David Jones via spf-devel wrote:
> I would like to up my SPF game a bit and provide feedback to those who don't
> have a misconfigured SPF record. I have enabled debugging and only see an
> action of prepending the AR header.
>
> postfix-3.0.5-1.el6.x86_64
> python-pyspf-2.0.11-1.el6.noarch
>
> /etc/python-policyd-spf/policyd-spf.conf
> debugLevel = 5
> defaultSeedOnly = 1
> HELO_reject = False
> Mail_From_reject = Fail
> No_Mail = False
> PermError_reject = True
> TempError_Defer = False
> skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
> Whitelist = 96.4.1.0/26,96.5.1.0/26
> Header_Type = AR
>
...
>
> How do I get the action above to reject instead of adding a header?

There is a bug (that I haven't root caused yet) related to No_Mail. I believe
if you remove No_Mail = False from your config it will work. That's the
default anyway, so it should be fine to remove it.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214130530:5D4FBFB6-E0F9-11E7-BEBA-A71E83F5849F
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 12:05 PM, Scott Kitterman wrote:
> On Thursday, December 14, 2017 04:45:14 PM David Jones via spf-devel wrote:
>> I would like to up my SPF game a bit and provide feedback to those who don't
>> have a misconfigured SPF record. I have enabled debugging and only see an
>> action of prepending the AR header.
>>
>> postfix-3.0.5-1.el6.x86_64
>> python-pyspf-2.0.11-1.el6.noarch
>>
>> /etc/python-policyd-spf/policyd-spf.conf
>> debugLevel = 5
>> defaultSeedOnly = 1
>> HELO_reject = False
>> Mail_From_reject = Fail
>> No_Mail = False
>> PermError_reject = True
>> TempError_Defer = False
>> skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
>> Whitelist = 96.4.1.0/26,96.5.1.0/26
>> Header_Type = AR
>>
> ...
>>
>> How do I get the action above to reject instead of adding a header?
>
> There is a bug (that I haven't root caused yet) related to No_Mail. I believe
> if you remove No_Mail = False from your config it will work. That's the
> default anyway, so it should be fine to remove it.
>
> Scott K
>

Thank you. That did it! I am rejecting PermErrors now.

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214134653:24BB74C8-E0FF-11E7-8CE5-DAFEC4BA8DFE
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 12:47 PM, David Jones via spf-devel wrote:
> On 12/14/2017 12:05 PM, Scott Kitterman wrote:
>> On Thursday, December 14, 2017 04:45:14 PM David Jones via spf-devel
>> wrote:
>>> I would like to up my SPF game a bit and provide feedback to those
>>> who don't
>>> have a misconfigured SPF record.  I have enabled debugging and only
>>> see an
>>> action of prepending the AR header.
>>>
>>> postfix-3.0.5-1.el6.x86_64
>>> python-pyspf-2.0.11-1.el6.noarch
>>>
>>> /etc/python-policyd-spf/policyd-spf.conf
>>> debugLevel = 5
>>> defaultSeedOnly = 1
>>> HELO_reject = False
>>> Mail_From_reject = Fail
>>> No_Mail = False
>>> PermError_reject = True
>>> TempError_Defer = False
>>> skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
>>> Whitelist = 96.4.1.0/26,96.5.1.0/26
>>> Header_Type = AR
>>>
>> ...
>>>
>>> How do I get the action above to reject instead of adding a header?
>>
>> There is a bug (that I haven't root caused yet) related to No_Mail.  I
>> believe
>> if you remove No_Mail = False from your config it will work.  That's the
>> default anyway, so it should be fine to remove it.
>>
>> Scott K
>>
>
> Thank you.  That did it!  I am rejecting PermErrors now.
>

Wow! There are a lot of SPF problems out there. I wish there were a
way to bounce the emails back to admins and responsible parties but
allow the message through at the same time.

There's no good way to get feedback to mail admins unless they setup
DMARC reporting and take things seriously. It's going to take a major
push by a very large company or community to make SPF a requirement to
send email on the Internet.

I wish valid SPF records were a requirement to send on the Internet much
like FCrDNS has become a hurdle to jump.

I may end up having to back this change out and treat SPF PermErrors
like SPF Fails with a slight penalty on a spam score.

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214144407:243A3D7E-E107-11E7-8238-C6E9C931AFA3
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On Thursday, December 14, 2017 12:47:10 PM David Jones via spf-devel wrote:
> On 12/14/2017 12:05 PM, Scott Kitterman wrote:
> > On Thursday, December 14, 2017 04:45:14 PM David Jones via spf-devel
wrote:
> >> I would like to up my SPF game a bit and provide feedback to those who
> >> don't have a misconfigured SPF record. I have enabled debugging and
> >> only see an action of prepending the AR header.
> >>
> >> postfix-3.0.5-1.el6.x86_64
> >> python-pyspf-2.0.11-1.el6.noarch
> >>
> >> /etc/python-policyd-spf/policyd-spf.conf
> >> debugLevel = 5
> >> defaultSeedOnly = 1
> >> HELO_reject = False
> >> Mail_From_reject = Fail
> >> No_Mail = False
> >> PermError_reject = True
> >> TempError_Defer = False
> >> skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
> >> Whitelist = 96.4.1.0/26,96.5.1.0/26
> >> Header_Type = AR
> >
> > ...
> >
> >> How do I get the action above to reject instead of adding a header?
> >
> > There is a bug (that I haven't root caused yet) related to No_Mail. I
> > believe if you remove No_Mail = False from your config it will work.
> > That's the default anyway, so it should be fine to remove it.
> >
> > Scott K
>
> Thank you. That did it! I am rejecting PermErrors now.

I've released version 2.0.2 now that fixes this along with a few other bugs.
Thanks for (what turned out to be) a useful bug report.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214144842:C7C701FC-E107-11E7-BEA8-8A8C8B15F107
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 02:44 PM, David Jones via spf-devel wrote:
>
> Wow!  There are a lot of SPF problems out there.  I wish there were a
> way to bounce the emails back to admins and responsible parties but
> allow the message through at the same time.
>
I send a Warning DSN to the MAIL FROM for permerror.  If the sender
doesn't accept the DSN, I blacklist the sender. 



-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214145941:50AC8EBE-E109-11E7-9F88-FE4C2BC2DB54
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 01:59 PM, Stuart Gathman wrote:
> On 12/14/2017 02:44 PM, David Jones via spf-devel wrote:
>>
>> Wow!  There are a lot of SPF problems out there.  I wish there were a
>> way to bounce the emails back to admins and responsible parties but
>> allow the message through at the same time.
>>
> I send a Warning DSN to the MAIL FROM for permerror.  If the sender
> doesn't accept the DSN, I blacklist the sender.
>
>

Care to ellaborate? Are you doing this with the MTA at SMTP-time or
with some post processing of logs? If it's in the MTA, what MTA are you
running?

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214150541:271A4FB8-E10A-11E7-84BB-DB79B4ABD2D6
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 03:05 PM, David Jones via spf-devel wrote:
> On 12/14/2017 01:59 PM, Stuart Gathman wrote:
>> On 12/14/2017 02:44 PM, David Jones via spf-devel wrote:
>>>
>>> Wow!  There are a lot of SPF problems out there.  I wish there were a
>>> way to bounce the emails back to admins and responsible parties but
>>> allow the message through at the same time.
>>>
>> I send a Warning DSN to the MAIL FROM for permerror.  If the sender
>> doesn't accept the DSN, I blacklist the sender.
>>
>>
>
> Care to ellaborate?  Are you doing this with the MTA at SMTP-time or
> with some post processing of logs?  If it's in the MTA, what MTA are
> you running?
>
Oh sorry, I use https://github.com/sdgathman/milter

I could add that feature to spfmilter.py as well, but it is supposed to
be a *simple* SPF milter.



-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214152711:27F57432-E10D-11E7-8955-92A50267EAFB
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
Hi there,

On Thu, 14 Dec 2017, David Jones via spf-devel wrote:

> Wow! There are a lot of SPF problems out there.

Of the _very_ approximately two-thirds of mail-sending domains which
have SPF records, less approximately one-eighth have bad SPF records.
After looking at more than a million records, it still surprises me
how creative people can be. And you're allowed ONE record, right?
Check out 'mrlinfo.org'.

> I wish there were a way to bounce the emails back to admins and
> responsible parties but allow the message through at the same time.

I have written a milter which could do that, but if you think about it
a little I don't think you'll really want to go there.

--

73,
Ged.


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214161648:16771DDA-E114-11E7-B6C7-A9642663BB01
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 03:16 PM, G.W. Haywood via spf-devel wrote:
> Hi there,
>
> On Thu, 14 Dec 2017, David Jones via spf-devel wrote:
>
>> Wow!  There are a lot of SPF problems out there.
>
> Of the _very_ approximately two-thirds of mail-sending domains which
> have SPF records, less approximately one-eighth have bad SPF records.
> After looking at more than a million records, it still surprises me
> how creative people can be.  And you're allowed ONE record, right?
> Check out 'mrlinfo.org'.
>
>> I wish there were a way to bounce the emails back to admins and
>> responsible parties but allow the message through at the same time.
>
> I have written a milter which could do that, but if you think about it
> a little I don't think you'll really want to go there.
>

Wow! Unbelievable. I have sent them an email trying to help get a
correct SPF record. We will see if their IT support fixed it.

Check out zayo.com. They seem to have listed all of their own IP space.
Any infected computer on their network could send an email spoofing
zayo.com and it would pass SPF checks. Funny thing is their corporate
email is hosted on Google and they don't even have the standard Google
include in all of that.

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214162822:B3FBE698-E115-11E7-8C1D-C501294C248F
Powered by Listbox: http://www.listbox.com
RE: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
I'm rather new to working with SPF records but isn't being able
to report incorrect SPF and DKIM records part of the purpose of
DMARC? Assuming they have DMARC correctly configured of course.

Scott


---------------------------------------
Scott Parrill
Systems Administrator
IT/Telecom and System Support Services
University of Wyoming
sparrill@uwyo.edu
307-766-4829


-----Original Message-----
From: David Jones via spf-devel [mailto:spf-devel@listbox.com]
Sent: Thursday, December 14, 2017 2:29 PM
To: spf-devel@listbox.com; G.W. Haywood <spf@jubileegroup.co.uk>
Subject: Re: [spf-devel] Problem getting python-policyd-spf to reject on Permerror

On 12/14/2017 03:16 PM, G.W. Haywood via spf-devel wrote:
> Hi there,
>
> On Thu, 14 Dec 2017, David Jones via spf-devel wrote:
>
>> Wow!  There are a lot of SPF problems out there.
>
> Of the _very_ approximately two-thirds of mail-sending domains which
> have SPF records, less approximately one-eighth have bad SPF records.
> After looking at more than a million records, it still surprises me
> how creative people can be.  And you're allowed ONE record, right?
> Check out 'mrlinfo.org'.
>
>> I wish there were a way to bounce the emails back to admins and
>> responsible parties but allow the message through at the same time.
>
> I have written a milter which could do that, but if you think about it
> a little I don't think you'll really want to go there.
>

Wow! Unbelievable. I have sent them an email trying to help get a
correct SPF record. We will see if their IT support fixed it.

Check out zayo.com. They seem to have listed all of their own IP space.
Any infected computer on their network could send an email spoofing
zayo.com and it would pass SPF checks. Funny thing is their corporate
email is hosted on Google and they don't even have the standard Google
include in all of that.

--
David Jones



-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214164813:79B43CA8-E118-11E7-B33C-AFEBDA8AF324
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 04:16 PM, G.W. Haywood via spf-devel wrote:
>
> Of the _very_ approximately two-thirds of mail-sending domains which
> have SPF records, less approximately one-eighth have bad SPF records.
> After looking at more than a million records, it still surprises me
> how creative people can be.  And you're allowed ONE record, right?
> Check out 'mrlinfo.org'.
Most of the correct SPF records are for spam domains.  (Or so it seems.)


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214171733:935A7F92-E11C-11E7-88BA-CC8CCAA5F462
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
On 12/14/2017 03:48 PM, Scott M. Parrill wrote:
> I'm rather new to working with SPF records but isn't being able
> to report incorrect SPF and DKIM records part of the purpose of
> DMARC? Assuming they have DMARC correctly configured of course.
>
> Scott
>
>

Seems like most sysadmins/mail admins have just heard about SPF recently
when Google and other mail providers started taking SPF seriously about
3 years ago to put SPF soft fails into the Spam/Junk folders and
rejecting for SPF hard fails.

Google does do a good job to lead the way with good bounce messages with
links to good documentation. I guess it's going to take Google stepping
up and bouncing Permerrors before sysadmins are going to fix their SPF
record problems and enable DMARC reporting.

DMARC is good for feedback but it takes a skilled mail admin that
understands the details of SPF and DKIM to setup and parse the feedback
XML reports. You can outsource this report gathering and summarization
to companies like Dmarcian.com but it still takes some skilled analysis
and lots of time -- like months of gathering DMARC report feedback to
get an accurate picture of legit sources of email for a domain for a
complete SPF record.

I wish the industry as a whole would push toward making SPF records
mandatory with correct syntax (no Permerrors) before email would deliver
much like FCrDNS is pretty much mandatory these days.

Then we would move on to DKIM, DMARC and ARC...

--
David Jones


-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171214200259:AF660028-E133-11E7-A008-D07A5F34EEFB
Powered by Listbox: http://www.listbox.com
Re: Problem getting python-policyd-spf to reject on Permerror [ In reply to ]
Em 14/12/2017 23:03, David Jones via spf-devel escreveu:
> On 12/14/2017 03:48 PM, Scott M. Parrill wrote:
>> I'm rather new to working with SPF records but isn't being able
>> to report incorrect SPF and DKIM records part of the purpose of
>> DMARC?  Assuming they have DMARC correctly configured of course.
>>
>> Scott
>>
>>
>
> Seems like most sysadmins/mail admins have just heard about SPF
> recently when Google and other mail providers started taking SPF
> seriously about 3 years ago to put SPF soft fails into the Spam/Junk
> folders and rejecting for SPF hard fails.
>
> Google does do a good job to lead the way with good bounce messages
> with links to good documentation.  I guess it's going to take Google
> stepping up and bouncing Permerrors before sysadmins are going to fix
> their SPF record problems and enable DMARC reporting.
>
> DMARC is good for feedback but it takes a skilled mail admin that
> understands the details of SPF and DKIM to setup and parse the
> feedback XML reports.  You can outsource this report gathering and
> summarization to companies like Dmarcian.com but it still takes some
> skilled analysis and lots of time -- like months of gathering DMARC
> report feedback to get an accurate picture of legit sources of email
> for a domain for a complete SPF record.
>
> I wish the industry as a whole would push toward making SPF records
> mandatory with correct syntax (no Permerrors) before email would
> deliver much like FCrDNS is pretty much mandatory these days.

Hi guys. We have a RBL project based in SPF here in Brazil:

http://spfbl.net/en/dnsbl

This is a GPL project called SPFBL. This project uses SPF technology for
sender validation and makes a sender reputation too:

https://github.com/leonamp/SPFBL

Many providers is correcting the customer's SPF here and the results
with FAIL is dropping because this result affects the origin IP
reputation. The SOFTFAIL causes a defer, so this result is dropping here
too.

>
> Then we would move on to DKIM, DMARC and ARC...
>

We are implementing DKIM validation at this moment. DMARC will be
implemented next year.




-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/1311533-9e42a648
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311533&id_secret=1311533-d322f1f1
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311533&id_secret=1311533-d59c80a0&post_id=20171215052958:E415F982-E182-11E7-888F-FDD20A7B9A05
Powered by Listbox: http://www.listbox.com