Mailing List Archive

Hi Greg,

we're setting up -all records by default (changed on request) for all
of our hosting clients.

for privacy reasons i'm unable to hand out a list of domains, additionally
i personally would like to know why you're collecting/publishing this
domains?

is there any advantage of having such a list publically available?

Regards,
Stephan

Greg Hewgill schrieb:
> A few days ago I got curious about the number of domains that actually
> use -all at the end of their SPF recods. I gathered some sources of
> domain names, and set up a web site to track it all: http://spf-all.com
>
> I am still in the process of loading domains. The text on the main page
> (the counters and lists) currently updates every hour.
>
> If you have any suggestions for content or presentation or new sources
> for domain names (see the About page), please let me know!
>
> Greg Hewgill
> http://hewgill.com
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Archives: http://v2.listbox.com/member/archive/735/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/735/
> Modify Your Subscription: http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com


--
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74152666-e33c08
Powered by Listbox: http://www.listbox.com

Greg Hewgill wrote:

> I gathered some sources of domain names, and set up a web site to track
> it all: http://spf-all.com

Your page says "is a forgery" for "-all", that's an over-simplification.

Actually it means "match anything else with result FAIL in this test".
It could be a forgery. It could be legit, and the receiver checked
at the wrong place against a FAILing IP.

A "+all" could be a part of a non-trivial include:not-me-scheme, where it
later turns out to be bad. A "+all" in the sense of "all IPs worldwide
are permitted to send mail from me" is "odd", but still a valid statement.

Your test will "miss" gmx.at and gmx.ch, they redirect to gmx.net (you
have gmx.net already, I submitted gmx.de). I hope you don't count any
wildcards, that could spoil your statistics. I've added a link to your
site from <http://www.openspf.org/Statistics> - about 1 of 400 domains
isn't much, but of course "number of domains" and "number of mails" are
anyway different.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74156999-58eefd
Powered by Listbox: http://www.listbox.com

} -----Original Message-----
} From: Greg Hewgill [mailto:greg@hewgill.com]
} Sent: Monday, December 10, 2007 3:30 AM
} To: spf-discuss@v2.listbox.com
} Subject: [spf-discuss] SPF -all domain survey
}
} A few days ago I got curious about the number of domains that actually
} use -all at the end of their SPF recods. I gathered some sources of
} domain names, and set up a web site to track it all: http://spf-all.com
}
} I am still in the process of loading domains. The text on the main page
} (the counters and lists) currently updates every hour.
}
} If you have any suggestions for content or presentation or new sources
} for domain names (see the About page), please let me know!
}
} Greg Hewgill
} http://hewgill.com

Greg,
You have a bug. It is not checking the correct TXT record. I have
2 TXT records, you should be looking for the one with v=spf1. I think you
are just looking at the first one you find.

The domain watkins-home.com has an SPF record, but it does not end with
-all.

The SPF record is:

line1line2line3line4line5Line n

dig watkins-home.com txt
returns:
watkins-home.com. 360000 IN TXT "v=spf1 mx "
"ip4:63.240.76.0/17 " "ip4:204.127.192.0/18 " "ip4:206.18.177.0/24 "
"ip4:216.148.227.0/24 "
"+exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d}.spf-tracker.watkins-home.
com " "?all"
watkins-home.com. 360000 IN TXT "line1" "line2" "line3"
"line4" "line5" "Line n"

Thanks,
Guy

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74194686-5d3b8e
Powered by Listbox: http://www.listbox.com

On Monday 10 December 2007 03:59, Stephan Seitz wrote:
> Hi Greg,
>
> we're setting up -all records by default (changed on request) for all
> of our hosting clients.
>
Do you discuss this with your clients?

How do you know you have a complete list of mail servers from which your
clients send mail?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74193041-cc4d17
Powered by Listbox: http://www.listbox.com

Greg Hewgill wrote:
> A few days ago I got curious about the number of domains that actually
> use -all at the end of their SPF recods. I gathered some sources of
> domain names, and set up a web site to track it all: http://spf-all.com
>
> I am still in the process of loading domains. The text on the main page
> (the counters and lists) currently updates every hour.
>
> If you have any suggestions for content or presentation or new sources
> for domain names (see the About page), please let me know!
>
>
I note that your checker does not take into account the 'redirect='
keyword when parsing spf records. This makes my domain not appear.....

Philip

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74200342-d401bf
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 08:30:14AM +0000, Greg Hewgill wrote:
> A few days ago I got curious about the number of domains that actually
> use -all at the end of their SPF recods. I gathered some sources of
> domain names, and set up a web site to track it all: http://spf-all.com
>
> I am still in the process of loading domains. The text on the main page
> (the counters and lists) currently updates every hour.
>
> If you have any suggestions for content or presentation or new sources
> for domain names (see the About page), please let me know!

You wrote "... and are safe from email forgery."

This is too optimistic (unfortunately).

SPF will only work if both ends of the email transaction are using it,
meaning if a receiver does not use SPF, it will just accept the email.
Quite often these are also the receivers which will accept a message,
detect a virus or spam in it, and then "return" it to the "sender".

Even if both ends are using SPF, misdirected bounces can still occur.
Yes, even when someone publishes -all.

To balance things, you may want to keep score on providers not checking
SPF records.

my 2c
Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74215937-275cef
Powered by Listbox: http://www.listbox.com

Stephan Seitz wrote:

> for privacy reasons i'm unable to hand out a list of domains

Publishing a sender policy makes it public, but of course you
won't hand out a list of your clients. You could tell them
where they can submit their domain if they want to be counted.

> is there any advantage of having such a list publically
> available?

As info for admins who dare not publish -all it might help
to convince them that others survived the experience.

As info for spammers "do not abuse these domains, they are
protected by SPF FAIL" it could in theory also help (?)

As statistics about hardcore SPF adoption it's interesting.

SPF without FAIL can still offer PASS, that's better than
nothing for receivers (= "can accept and bounce later").

PASS could be also be used in scoring with white lists or
other reputation systems (e.g. DAC-VBR). SPF without PASS
*and* without FAIL is pointless, but the simple statistics
for the top 500 Alexa sites (and others) counts anything
starting with "v=spf1 ", even a dummy "v=spf1 ?all".

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74216612-f70f77
Powered by Listbox: http://www.listbox.com

--On 10 December 2007 16:01:44 +0100 Alex van den Bogaerdt
<alex@ergens.op.het.net> wrote:

>
> You wrote "... and are safe from email forgery."
>
> This is too optimistic (unfortunately).
>
> SPF will only work if both ends of the email transaction are using it,
> meaning if a receiver does not use SPF, it will just accept the email.

Well, yes, but I suspect that the whole purpose of the site is to help
managers of sites receiving email to determine whether it's worth using SPF
to either filter or score email. There's probably a general feeling in the
postmaster community that too few sites do so to make it worthwhile.

This web site makes it clear that there are plenty of domains publishing
strong SPF policies.

Hopefully this will encourage postmasters to respect the policies, and that
in turn will encourage more domains to publish them, in a virtuous circle.

It's definitely a valuable site. It could be more useful with better
explanation of how postmasters can configure their mail systems to respect
the policies, in a realistic manner that won't upset their customers (for
example, by allowing individuals to opt out in the event that they have
mail forwarding).


> Quite often these are also the receivers which will accept a message,
> detect a virus or spam in it, and then "return" it to the "sender".
>



--
Ian Eiloart
IT Services, University of Sussex
x3148

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74239267-dd4824
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 04:25:15PM +0000, Ian Eiloart wrote:

> >This is too optimistic (unfortunately).
> >
> >SPF will only work if both ends of the email transaction are using it,
> >meaning if a receiver does not use SPF, it will just accept the email.
>
> Well, yes, but I suspect that the whole purpose of the site is to help
> managers of sites receiving email to determine whether it's worth using SPF
> to either filter or score email. There's probably a general feeling in the
> postmaster community that too few sites do so to make it worthwhile.

I understand, but do you understand it may be counterproductive to
raise expectations too high for those publishing SPF policies?

If one promises SPF will stop forgery now, people will be disappointed.


The site should also point out that publishing an SPF record does not
stop all misdirected bounces from coming in.

I've seen a lot of tickets (no, I didn't count them) from people who
are wondering why they still see such bounces, eventhough they published
a policy ending in -all. I can see how they feel mislead by well meaning
but nevertheless wrong statements about SPF.

cheers
alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74249921-c13972
Powered by Listbox: http://www.listbox.com

Thanks for the feedback so far on spf-all.com.

I should have mentioned that there are a few cases not yet handled that
I will be considering:

- use of redirect= to make one domain the same as another
- ending a record with include: to include another record that ends in
-all

There may be other unusual cases that I should consider. This mailing
list is probably a good source of test cases!

I would also like to try to exclude DNS wildcard records from the
statistics as this may skew the results. For example, there is a
*.livejournal.com record that is "v=spf1 -all". In this case I can
query the literal "*.livejournal.com" record and receive the TXT reply;
I could then exclude all subdomains from the statistics. However, this
doesn't consider all cases because there is for example a
"pics.livejournal.com" that is different and has no TXT record at all.
I don't believe there is a reliable way to find out what is a wildcard
and what isn't from a DNS server, though.

I deliberately made the wording on the site optimistic and a bit
simplified. There are certainly a number of conditions required for SPF
-all to succeed - the most obvious is that any receiver must be
checking SPF records in the first place.

Why am I doing this? The first reason is curiosity. The story is that a
friend noticed that his bank uses -all, and I was curious just how many
domains really did take their sender policy seriously. Second, as Ian
mentioned, it exists to help encourage postmasters to use SPF -all
because there are already plenty of domains doing so.

Greg Hewgill
http://hewgill.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74264649-999af6
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 07:27:21AM -0500, Guy wrote:
> You have a bug. It is not checking the correct TXT record.

Your domain does indeed have two TXT records, and I am checking the
corect one. Your SPF records ends in ?all, so it is not counted. Were
you expecting a different result?

Greg Hewgill
http://hewgill.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74265376-7f0498
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 04:01:44PM +0100, Alex van den Bogaerdt wrote:
> To balance things, you may want to keep score on providers not checking
> SPF records.

If you can think of a way to do this non-invasively (that is, without
actually sending any email!) then perhaps it would be possible to
collect such statistics. Otherwise, I am certainly unwilling to send
any email to test such a policy.

Greg Hewgill
http://hewgill.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74266363-af4a1d
Powered by Listbox: http://www.listbox.com

On Mon, 10 Dec 2007, Greg Hewgill wrote:

> Thanks for the feedback so far on spf-all.com.
>
> I should have mentioned that there are a few cases not yet handled that
> I will be considering:
>
> - use of redirect= to make one domain the same as another
> - ending a record with include: to include another record that ends in
> -all
>
> There may be other unusual cases that I should consider. This mailing
> list is probably a good source of test cases!

Of course, "-all" is only a heuristic test. An accurate but less-trivial
way to rate SPF records is by number of IPs in the pass/neutral/softfail/fail
sets. A "v=spf1 +all" would have 2^32,0,0,0. A "v=spf1 -all" 0,0,0,2^32.
But "v=spf1 ip4:1.2.3.4/0 -all" would have 2^32,0,0,0 also - despite the
"-all". Giant email providers might have thousands of authorized IPs -
despite having strict SPF records - but they have more problems policing
their millions of users, so that's fair.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74272536-5b777c
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 06:48:26PM +0000, Greg Hewgill wrote:
> On Mon, Dec 10, 2007 at 04:01:44PM +0100, Alex van den Bogaerdt wrote:
> > To balance things, you may want to keep score on providers not checking
> > SPF records.
>
> If you can think of a way to do this non-invasively (that is, without
> actually sending any email!) then perhaps it would be possible to
> collect such statistics. Otherwise, I am certainly unwilling to send
> any email to test such a policy.

I understand, and I agree.

100% reliability will be hard to achieve, but here's a possible
way to start:

Let people send you misdirected bounces which shouldn't have happened
due to SPF. As more and more come in, you find that many reports are
supporting each other.

If you want to reduce (perhaps even eliminate) the chance that a whole
bunch of forged reports generate an entry on your site, you could send
mail to postmaster, asking them about their SPF policy. You do so from
a server resulting in FAIL. If that bounces, you don't list them.

Yes, this would mean sending mail, but I believe that this is within
reason. You would be doing so after the domain sent many bounces, and
you ask them about this.

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74288729-86bdc7
Powered by Listbox: http://www.listbox.com

Greg Hewgill wrote:

> I will be considering:
> - use of redirect= to make one domain the same as another

Thanks.

> - ending a record with include: to include another record
> that ends in -all

Skip that test, "including" a "-all" policy only results in
"no match" for the include, it won't return a FAIL. This
include business is only for matching, i.e. to see if the
included IPs would PASS if used directly. After that the
"including" policy could still say that those IPs are only
NEUTRAL, you could have ?include:dubious.isp.example etc.)

> I would also like to try to exclude DNS wildcard records
> from the statistics as this may skew the results.

ACK, stay away from foo.claranet.de, that's covered by a
wildcard with a redirect= to a FAIL policy.

> I could then exclude all subdomains from the statistics.

AFAIK that's not how wildcards work, there can be real
whatever.livejournal.com not covered by their wildcard.
Example, pop.claranet.de has no SPF policy, unlike foo,
bar, www, or xyzzy.claranet.de.

> I don't believe there is a reliable way to find out
> what is a wildcard and what isn't from a DNS server

Maybe you can ask for the policy of *.claranet.de, if
it's the same as for foo.claranet.de don't count it (?)

And then pop.claranet.de clearly counts as "no SPF", it
is very different from *.claranet.de (better check it).

If you find a better solution for the wildard issue
please tell us how this works, I'm always curious. :-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74300649-55a960
Powered by Listbox: http://www.listbox.com

Alex van den Bogaerdt wrote:

> Let people send you misdirected bounces which shouldn't have
> happened due to SPF. As more and more come in, you find that
> many reports are supporting each other.

Sounds like a full time job for a research project. Even
spamcop doesn't try this, they get tons of bounces, but it's
not *obvious* if that should have been a rejected SPF FAIL:

Policies change, not all bounces go to the envelope sender,
and the reported bounce doesn't necessarily say to which
address it was sent, the 2822-To could be misleading. :-(

> Yes, this would mean sending mail, but I believe that
> this is within reason.

Well, I do this sometimes (directly or via Spamcop) when I
get a misdirected bounce, but of course I'm entitled to say
that I don't want misdirected bounces, and why they should
reject SPF FAIL: they sent me mail first, I can answer :-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74302044-00b45f
Powered by Listbox: http://www.listbox.com

Scott Kitterman schrieb:
> On Monday 10 December 2007 03:59, Stephan Seitz wrote:
>> Hi Greg,
>>
>> we're setting up -all records by default (changed on request) for all
>> of our hosting clients.
>>
> Do you discuss this with your clients?

Hi Scott,

most of our clients are not really involved in technical issues. Generally,
they just want to know "it works".
If we show up the pros and cons of spf records, the question is never which
particular setting to use, it's more like a "we'll use your smarthosts and
you're taking care that our blackberry devices continue to work"

>
> How do you know you have a complete list of mail servers from which your
> clients send mail?
as said, we're providing smarthosts for our clients. Their in no way
forced to use them, we just try to give a good service for fair money.
The spf record is set after such decisions are made.

Additionally, i must say that SPF causes minimal amount of tickets,
compared to e.g. how to setup a new IMAP account ;)
Sometimes, even positive responses arrive, stating that "THE MAILER-DAEMON"
is writing much lesser.

Stephan


>
> Scott K
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Archives: http://v2.listbox.com/member/archive/735/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/735/
> Modify Your Subscription: http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com


--
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74315344-19dba3
Powered by Listbox: http://www.listbox.com

On Monday 10 December 2007 15:40, Stephan Seitz wrote:
> Scott Kitterman schrieb:
> > On Monday 10 December 2007 03:59, Stephan Seitz wrote:
> >> Hi Greg,
> >>
> >> we're setting up -all records by default (changed on request) for all
> >> of our hosting clients.
> >
> > Do you discuss this with your clients?
>
> Hi Scott,
>
> most of our clients are not really involved in technical issues. Generally,
> they just want to know "it works".
> If we show up the pros and cons of spf records, the question is never which
> particular setting to use, it's more like a "we'll use your smarthosts and
> you're taking care that our blackberry devices continue to work"
>
> > How do you know you have a complete list of mail servers from which your
> > clients send mail?
>
> as said, we're providing smarthosts for our clients. Their in no way
> forced to use them, we just try to give a good service for fair money.
> The spf record is set after such decisions are made.

How does using your service mean that they use no others?

> Additionally, i must say that SPF causes minimal amount of tickets,
> compared to e.g. how to setup a new IMAP account ;)
> Sometimes, even positive responses arrive, stating that "THE MAILER-DAEMON"
> is writing much lesser.

Yes. The problem is we usually get them here after someone gets a
bounce/rejection message with a link to the SPF Why page:

http://www.openspf.org/Why

When providers publish SPF record on behalf of their clients without finding
out how they send mail, it puts the support burden on us. This is, in my
experience, by far the number one cause of people submitting support tickets
to openspf.org about rejected mail. Often it's their first contact with SPF
and it's not a happy one.

If you actually know they only use your service, that's great, but please make
sure you know it and aren't just assuming it.

Scott K

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74380119-66254d
Powered by Listbox: http://www.listbox.com

The results were:
========================================
The domain watkins-home.com has an SPF record, but it does not end with
-all.

The SPF record is:

line1line2line3line4line5Line n
========================================

The above is from your web page. It used the wrong record.

I bet you only check the first (or last) record you find. Try checking my
domain about 4 or so times. You will get some correct and some bogus. My
domain does not end with -all, but that is not what I am referring to.

Just trying to help.

Guy

} -----Original Message-----
} From: Greg Hewgill [mailto:greg@hewgill.com]
} Sent: Monday, December 10, 2007 1:46 PM
} To: spf-discuss@v2.listbox.com
} Subject: Re: [spf-discuss] SPF -all domain survey
}
} On Mon, Dec 10, 2007 at 07:27:21AM -0500, Guy wrote:
} > You have a bug. It is not checking the correct TXT record.
}
} Your domain does indeed have two TXT records, and I am checking the
} corect one. Your SPF records ends in ?all, so it is not counted. Were
} you expecting a different result?
}
} Greg Hewgill
} http://hewgill.com
}
} -------------------------------------------
} Sender Policy Framework: http://www.openspf.org
} Archives: http://v2.listbox.com/member/archive/735/=now
} RSS Feed: http://v2.listbox.com/member/archive/rss/735/
} Modify Your Subscription:
} http://v2.listbox.com/member/?&
} Powered by Listbox: http://www.listbox.com

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74351036-3f6aca
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 05:15:38PM -0500, Guy wrote:
> The above is from your web page. It used the wrong record.

Oh, I see the problem now. I had intended to look for the first TXT
record starting with v=spf1, but a logic error prevented the display
from showing the correct record.

The checker did indeed see that your v=spf1 record did not end in -all,
but was actually displaying the last TXT record seen. So, the wrong
result was displayed. This only happened on domains that publish any
TXT records that are not SPF records. Thanks for finding this!

As an aside, what should happen if a domain has multiple TXT records
that start with v=spf1? I found a couple of those.

Greg Hewgill
http://hewgill.com

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74387082-d681a6
Powered by Listbox: http://www.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greg Hewgill wrote:
> As an aside, what should happen if a domain has multiple TXT records
> that start with v=spf1? I found a couple of those.

According to the SPF specification this is an error condition:

http://www.openspf.org/RFC_4408#version

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHXcjXwL7PKlBZWjsRAo7eAKDeYlOfbUZYJ1wqhS/lSYCmXlKyyQCg0tpw
i80xgoyBr9YsCzbDCFmGL2o=
=uxK1
-----END PGP SIGNATURE-----

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74432317-c5847f
Powered by Listbox: http://www.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greg Hewgill wrote:
> Thanks for the feedback so far on spf-all.com.
>
> I should have mentioned that there are a few cases not yet handled that
> I will be considering:
>
> - use of redirect= to make one domain the same as another

Careful! There are records out there like "v=spf1 a mx redirect=<other-
domain>". Those policies aren't just identical to that of <other-domain>
but have policy information of their own and only redirect to the other
domain if none of the mechanisms match.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHXc5WwL7PKlBZWjsRAnYjAJsF7e+hZnNRLko51yCTWc0UVsulqwCdEM4F
5BpiPgNdORqTAdsGMin+m34=
=4mRf
-----END PGP SIGNATURE-----

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74423693-e159e3
Powered by Listbox: http://www.listbox.com

Julian Mehnle wrote:

>> I will be considering:
>> - use of redirect= to make one domain the same as another

> Careful! There are records out there like "v=spf1 a mx
> redirect=<other-domain>". Those policies aren't just
> identical to that of <other-domain> but have policy
> information of their own and only redirect to the other
> domain if none of the mechanisms match.

He's looking for "-all" at the end, and "redirect=" is
a glorified "goto", it should be good enough for "-all"
statistics. He's not going to look for multiple "all"
conflicting with the "redirect=", syntax errors, or a
disguised "+all", just "-all" at (or near) the end...

...I hope, a "v=spf1 -all exp=disclaimer.example.com"
should of course be counted. ;-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74442049-1e7ebf
Powered by Listbox: http://www.listbox.com

On Mon, Dec 10, 2007 at 08:30:14AM +0000, Greg Hewgill wrote:
> A few days ago I got curious about the number of domains that actually
> use -all at the end of their SPF recods.

What does your script do when you encounter something weird but valid like:

"v=spf1 ip4:1.2.3.4 -all mx ptr a"

?


And what happens with:

"v=spf1 ip4:0.0.0.0/128 ip4:128.0.0.0/128 -all"

and alike?

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=74449097-710282
Powered by Listbox: http://www.listbox.com