Mailing List Archive

If the from address remains the same, then put in a SPF entry for the
bat17.co.uk domain that includes your ISPs mail servers that are doing
the forwarding.

Josh

-----Original Message-----
From: Peter Saunders [mailto:bat17.99@gmail.com]
Sent: Monday, August 30, 2004 12:04 PM
To: spf-help@v2.listbox.com
Subject: [spf-help] forwarding accounts

I have a registerd domain Bat17.co.uk which is parked with a hosting
company. This company forwards my mail to my isp. I am now getting
mail to my isp blocked because my forwarding account does not match
the original senders list.

How can I avoid having my mail blocked?

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

That's RDNS lookup failures that hopefully can be corrected with SPF.
What you will want to do is add an SPF record that has your Domain MX
for Receiving mail *and* add your ISP domain for sending mail FROM.

Lets remember what SPF is for, its for the ability of businesses to
protect their domain by not allowing people to say they are from one
company or another. This will help with stopping of viruses as well that
use address books because you will have SPF failures on those mails as
well. SPF was not specifically designed for someone running their mail
through multiple forwarders and things to get it at home.

If you want to really fix your email issue consider getting mail hosting
whereas the MX record for your domain is the send/receive for the domain
you will be much happier.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Peter Saunders
Sent: Monday, August 30, 2004 12:04 PM
To: spf-help@v2.listbox.com
Subject: [spf-help] forwarding accounts

I have a registerd domain Bat17.co.uk which is parked with a hosting
company. This company forwards my mail to my isp. I am now getting mail
to my isp blocked because my forwarding account does not match the
original senders list.

How can I avoid having my mail blocked?

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, Aug 30, 2004 at 05:03:52PM +0100, Peter Saunders wrote:
> I have a registerd domain Bat17.co.uk which is parked with a hosting
> company. This company forwards my mail to my isp. I am now getting
> mail to my isp blocked because my forwarding account does not match
> the original senders list.
>
> How can I avoid having my mail blocked?

The short answer is: have the forwarder implement SRS.

Tell me if I understand this correctly: the hosting company forwards
mail received for bat17.co.uk, your isp's incoming mx'es receive this
mail and check spf. The received mail fails spf for domains that have
published spf records.

If this is correct, there's only two options:

- Have the forwarder implement SRS
- Have the receiving MX whitelist the forwarder's outgoing mail servers

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, Aug 30, 2004 at 12:08:00PM -0400, Joshua Pyle wrote:
> If the from address remains the same, then put in a SPF entry for the
> bat17.co.uk domain that includes your ISPs mail servers that are doing
> the forwarding.

This will only work for mail coming from bat17.co.uk, not for arbitrary
mail from domains with published spf records that are forwarded through
the hosting companies servers.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, 30 Aug 2004 12:08:00 -0400, Joshua Pyle <jpyle@mansellgroup.com> wrote:
> If the from address remains the same, then put in a SPF entry for the
> bat17.co.uk domain that includes your ISPs mail servers that are doing
> the forwarding.
>

The from address varies because it is anyone who sends mail to me.
The forwarding is done by Freeparking.co.uk which is the company who
host my domain. they forward it to my email account with Freedom to
Surf which is my ISP.

I would imagine that there must be a lot of individuals/clubs who have
this same sort of set-up who will fall foul of SPF

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I think if you add the ISP servers you will be Okay. There was some
discussion in the spf.pobox.com site regarding forwarding mail to
different accounts etc. You may have to end up not putting an spf record
at all ?!

My *understanding* of the SPF record is supposed to allow you to state
which domains/Ips may send mail on your behalf (relay/proxy/redirect).
If you put your ISP servers into your SPF record they will show up in an
SPF check that those servers can send mail as you. This at least limits
anyone spoofing your domain to your ISP.



--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

SPF was not specifically designed for someone running their mail
> through multiple forwarders and things to get it at home.

I is not run through multiple forwarders but just the company that
hosts my domain.
That company sends any email recived to a pop3 account I have with my isp.
There is a facillity though to forward to oteraddress depending on the address.


> If you want to really fix your email issue consider getting mail hosting
> whereas the MX record for your domain is the send/receive for the domain
> you will be much happier.

what is an MX record for a domain?

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

>
> The short answer is: have the forwarder implement SRS.
>
> Tell me if I understand this correctly: the hosting company forwards
> mail received for bat17.co.uk, your isp's incoming mx'es receive this
> mail and check spf. The received mail fails spf for domains that have
> published spf records.
>
> If this is correct, there's only two options:
>
> - Have the forwarder implement SRS
> - Have the receiving MX whitelist the forwarder's outgoing mail servers
>
Spot on :-)

2 questions, what is SRS and is an MX?

My hosting company does let me set up an SPF text which I tried doing
with its default setting but that did not seem to help.

I assume that MX is my ISP, I have been onto their support but it is a
holiday weekend here so I will not hear from them until tommorow I
expect.

Many thanks

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, Aug 30, 2004 at 02:36:48PM -0400, Benjamin Zachary wrote:
> My *understanding* of the SPF record is supposed to allow you to state
> which domains/Ips may send mail on your behalf (relay/proxy/redirect).
> If you put your ISP servers into your SPF record they will show up in an
> SPF check that those servers can send mail as you. This at least limits
> anyone spoofing your domain to your ISP.

His problem is that some third party sends him mail, which gets
forwarded by the hosting company to the ISP. Changing his own spf
records will not do a thing to solve the problem, as this has no effect
whatsoever on the third party mail.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, Aug 30, 2004 at 07:47:07PM +0100, Peter Saunders wrote:
> > Tell me if I understand this correctly: the hosting company forwards
> > mail received for bat17.co.uk, your isp's incoming mx'es receive this
> > mail and check spf. The received mail fails spf for domains that have
> > published spf records.
> >
> > If this is correct, there's only two options:
> >
> > - Have the forwarder implement SRS
> > - Have the receiving MX whitelist the forwarder's outgoing mail servers
> >
> Spot on :-)

Great :)

> 2 questions, what is SRS and is an MX?
>
> My hosting company does let me set up an SPF text which I tried doing
> with its default setting but that did not seem to help.
>
> I assume that MX is my ISP, I have been onto their support but it is a
> holiday weekend here so I will not hear from them until tommorow I
> expect.

SRS stands for Sender Rewriting Scheme. It rewrites MAIL FROM adresses
at the forwarders server such that they appear to be from their hosts.
This is something the forwarder should implement.

An MX is a term from the Domain Name Server (DNS) terminology, it is
used to designate for a domain what the receiving mail server(s)
is(are).

So it seems you can not do a thing: SRS is something your forwarder
should implement. Whitelisting at the MX (receiving mail server)
SRS stands for Sender Rewriting Scheme. It rewrites MAIL FROM adresses
at the forwarders server such that they appear to be from their hosts.
This is something the forwarder should implement.

An MX is a term from the Domain Name Server (DNS) terminology, it is
used to designate for a domain what the receiving mail server(s)
is(are).

So it seems you can only wait for either the hosting company to
implement SRS or the ISP to whitelist the forwarder (I think the latter
is more likely than the former).

Koen


Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I've received 2 complaints from customers whose web-host provider seems to
be incorrectly forwarding e-mails from these customer's domains, and our SPF
record is causing them to fail. I realize that getting the web-hosting
provider to change their ways because of something that we, (the ISP)
implemented that wasn't mandatory is probably a long shot, but...

Shouldn't the (proper) thing to correct these type issues be to cause the
forwarder to implement SRS, and not have us (as the ISP whose e-mail address
is being attempted to be incorrectly forwarded) to have to add that MX into
our SPF record?

My thoughts are that adding the improperly forwarding MX's IP Address into
our SPF record opens us back up (although only via that additional MX) to
spoofing of our domain.

I'm a relative newbie to SPF, so if I'm wrong, be gentle. :-)


Sincerely,
Mike

-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of Koen Martens
Sent: Monday, August 30, 2004 5:10 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] forwarding accounts

On Mon, Aug 30, 2004 at 07:47:07PM +0100, Peter Saunders wrote:
> > Tell me if I understand this correctly: the hosting company forwards
> > mail received for bat17.co.uk, your isp's incoming mx'es receive this
> > mail and check spf. The received mail fails spf for domains that have
> > published spf records.
> >
> > If this is correct, there's only two options:
> >
> > - Have the forwarder implement SRS
> > - Have the receiving MX whitelist the forwarder's outgoing mail servers
> >
> Spot on :-)

Great :)

> 2 questions, what is SRS and is an MX?
>
> My hosting company does let me set up an SPF text which I tried doing
> with its default setting but that did not seem to help.
>
> I assume that MX is my ISP, I have been onto their support but it is a
> holiday weekend here so I will not hear from them until tommorow I
> expect.

SRS stands for Sender Rewriting Scheme. It rewrites MAIL FROM adresses
at the forwarders server such that they appear to be from their hosts.
This is something the forwarder should implement.

An MX is a term from the Domain Name Server (DNS) terminology, it is
used to designate for a domain what the receiving mail server(s)
is(are).

So it seems you can not do a thing: SRS is something your forwarder
should implement. Whitelisting at the MX (receiving mail server)
SRS stands for Sender Rewriting Scheme. It rewrites MAIL FROM adresses
at the forwarders server such that they appear to be from their hosts.
This is something the forwarder should implement.

An MX is a term from the Domain Name Server (DNS) terminology, it is
used to designate for a domain what the receiving mail server(s)
is(are).

So it seems you can only wait for either the hosting company to
implement SRS or the ISP to whitelist the forwarder (I think the latter
is more likely than the former).

Koen


Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Right, I wasn't completely understanding his original statement.
Incoming mail should have no affect on him at all with or without SPF
records unless his mail provider is blocking spoofed spf mail (which is
probable)

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Koen Martens
Sent: Monday, August 30, 2004 6:07 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] forwarding accounts

On Mon, Aug 30, 2004 at 02:36:48PM -0400, Benjamin Zachary wrote:
> My *understanding* of the SPF record is supposed to allow you to state

> which domains/Ips may send mail on your behalf (relay/proxy/redirect).
> If you put your ISP servers into your SPF record they will show up in
> an SPF check that those servers can send mail as you. This at least
> limits anyone spoofing your domain to your ISP.

His problem is that some third party sends him mail, which gets
forwarded by the hosting company to the ISP. Changing his own spf
records will not do a thing to solve the problem, as this has no effect
whatsoever on the third party mail.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, embedded
systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program can't read? Visit
http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 30 August 2004 06:55 pm, Benjamin Zachary wrote:
> Right, I wasn't completely understanding his original statement.
> Incoming mail should have no affect on him at all with or without SPF
> records unless his mail provider is blocking spoofed spf mail (which is
> probable)

Actually, he might be the one blocking spoofed spf mail, which would also
result in a rejection of the improperly forwarded mail. Now, one possible
solution to that is to add the two MTA's in question to a client_access
(Postfix) or other type of access list to let his mail server know that the
MTA is authorized to relay to him. Then, his mail server would accept all
mail regardless of SPF headers that were sent from the added hosts.

It doesn't mean that they can spoof your own domain to anyone else, but they
would be able to bypass your SPF checks and supposedly spoof any domain they
wanted. You could, of course, do this temporarily and request that they
implement SRS and give them some time to do it, say a couple of months or so
and then remove the hosts and they begin going back through the SPF checks
again.

At least, I think that is the way it works because it appears to be doing that
on my system.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Mon, Aug 30, 2004 at 05:32:28PM -0500, Mike McTee wrote:
> Shouldn't the (proper) thing to correct these type issues be to cause the
> forwarder to implement SRS, and not have us (as the ISP whose e-mail address
> is being attempted to be incorrectly forwarded) to have to add that MX into
> our SPF record?

You are correct, adding the mx to your spf record is a very last resort
only and will work out only if there's a very small amount of
'misbehaving' forwarders. If you have more than 10 of them, you quickly
run out of the 400-500 byte dns reply limit.

The second best option is to whitelist the known forwarders on the
receiving end, but the best solution (in my eyes) is for the forwarder
to implement srs. However, the latter is not always possible as
forwarders might be non-cooperative and unwilling to comply.

> My thoughts are that adding the improperly forwarding MX's IP Address into
> our SPF record opens us back up (although only via that additional MX) to
> spoofing of our domain.

You are absolutely right.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen - It always makes me feel better to gain some reassurance from
others who are more experienced.

Thank you.


Sincerely,
Mike




-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Koen Martens
Sent: Tuesday, August 31, 2004 2:11 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] forwarding accounts

On Mon, Aug 30, 2004 at 05:32:28PM -0500, Mike McTee wrote:
> Shouldn't the (proper) thing to correct these type issues be to cause
the
> forwarder to implement SRS, and not have us (as the ISP whose e-mail
address
> is being attempted to be incorrectly forwarded) to have to add that MX
into
> our SPF record?

You are correct, adding the mx to your spf record is a very last resort
only and will work out only if there's a very small amount of
'misbehaving' forwarders. If you have more than 10 of them, you quickly
run out of the 400-500 byte dns reply limit.

The second best option is to whitelist the known forwarders on the
receiving end, but the best solution (in my eyes) is for the forwarder
to implement srs. However, the latter is not always possible as
forwarders might be non-cooperative and unwilling to comply.

> My thoughts are that adding the improperly forwarding MX's IP Address
into
> our SPF record opens us back up (although only via that additional MX)
to
> spoofing of our domain.

You are absolutely right.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> Actually, he might be the one blocking spoofed spf mail, which would also
> result in a rejection of the improperly forwarded mail. Now, one possible
> solution to that is to add the two MTA's in question to a client_access
> (Postfix) or other type of access list to let his mail server know that the
> MTA is authorized to relay to him. Then, his mail server would accept all
> mail regardless of SPF headers that were sent from the added hosts.
>

I am not sure what any of that means, but as far as getting mail goes
I just log in and download my mail with Thunderbird, I dont run a
server this is just a domestic login to an ISP for mail.

Peter

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com