Dear List Persons,
First, thank you Frank Ellermann and Steve Yates for the nice
responses. (Steve Yates? I know that name from somewhere. Do you
publish computer information [i.e. news, reviews, or tech info]
online?) [.Here's hoping you will continue to help even though I know
this is a long e-mail. I appoligize if this sounds like a rant.]
Well, I spent a few more minutes Friday night before going home
reading more of the SPF site and other things and figured some things
out, but still had concerns upon leaving. I let my mind get nice and
distracted on other things (thank goodness) so I didn't have to worry
about this over the weekend. But, its Monday and back to work and back
to the figuring this all out.
One thing I found out before leaving Friday night was that I can
add TXT records to my DNS on ZoneEdit. Thus, I realized that the
"Wizard" is just preparing a string for TXT records that I would put in
there. And it makes me think I don't even need to use a Wizard.
Instead of responding to the questions and responses individually
I decided to send to the list group again. Figuring anyone (except the
newest of comers) will have Frank's and Steve's responses to my initial
questions if reference is needed. And some of the things I can just
leave out because I realized some of my own stupidity.
Thank you Frank for the simple response. These TXT examples may
be almost exactly what I need, except I might need to understand the
technical info or the "Syntax" to make sure what I am doing is exactly
correct. From reading these responses and looking at it it appears
that the TXT record need to be in a specific syntax that starts
"v=spf1". Is there any documentation (I admit haven't searched yet) on
the Syntax of these records so I know what all the possibilities are and
how I should actually set mine up. A good technical reference or
technical manual is always better than a Wizard for me.
But, Steve's response raises some more questions about this whole
SPF thing.
From the reading I have done I am still trying to decide if SPF
is a good thing for me or not. It seems a little better than what most
ISPs are doing right now, but doesn't necessarily look good for my
business neither in the filtering incoming e-mail nor in the sending e-mail.
While working with AOL it has come to my attention that AOL is
not only blocking all e-mail from dynamic IP addresses (causing me to
have to switch ISPs and pay hundreds per month for static IP addresses)
of which there is only about three ISPs (of the hundreds of ISPs) in the
Salt Lake valley that even offer "static" IP addresses and at huge extra
monthly prices. Then AOL was blocking anything without reverse DNS set
to the correct HELO server name, so I was lucky I got an ISP now that
will do reverse DNS on those IP addresses set to my domain names and
HELO message. But, more recently AOL has decided they are going to
block ALL spoofed e-mail. Now here is a problem, sometimes "spoofing"
e-mail is absolutely necessary and legitimate. unfortunately it sounds
as though in order to stop spammers some companies have decided all
"spoofed" e-mail is bad.
So I have already had to jump though hundreds of hoops with AOL
and other big companies just to get the few e-mail messages that I need
to send to customers (typically no more than three messages per month)
and some employees that use these stupid ISPs, and now I am thinking I
need to jump though this SPF hoop too as well. Or maybe I don't.
It sounds like SPF is a way to limit what can be spoofed and what
can't. This in itself seems much better to me than AOL's current way of
blocking all spoofed e-mail But, it sounds like AOL is going to block
anything that doesn't have SPF records, and, if I have SPF records I
still may not be able to spoof when needed. So what do I do.
Here is the quandary. Right now my boss uses the e-mail address
she has been using for nearly a decade for the main businesses e-mail
address (published all over). It is an xmission.com address. However,
I can't send my e-mail though xmission.com 1) we no longer even use
xmission as an ISP so don't connect to xmssion.com 2) myself and
several other employees use our business e-mail addresses for different
domain names based one who we are commenting with and I can't send those
through xmission.com (or they would be spoofed the other way). Thus, to
continue to use the e-mail address my boss has published all over and in
hundreds of thousands of printed documents not to mention that hundreds
of web sites, portals, and contacts that she has given her e-mail
address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
address gets tons of spam still and most of that xmission filters which
means we often miss important e-mail messages too.]
Friday, when I was absolutely sure there is no other work around
(As AOL even blocks a "spoofed" reply-to address), I told my boss that
she will need to lose this e-mail address because of the spoofing
issues. But, I doubt very much at 78 years old she will go for my
opinions or expertise.
Then when it comes to other domains, again I might be sending out
a gbesco.com e-mail from the reidschool.com domain or vice versa. Any
and or all of our domain names might send out e-mail from any or all of
our three servers on the two specific subnets. These could present
spoofing issues just within our companies. [.It's not my fault my bosses
run several small businesses and several domain names on these two
location silly little networks.]
Now, there are other spoofing problems too. For instance on
occasion, I send business related e-mail's from home using my home ISPs
e-mail server. My work servers are so tight that I can't allow an
incoming connection to anyone not on the LAN to send e-mail from it. To
unsecure my mail servers (as I use dynamic IP address at home because I
can't afford $350 per month at home for a static IP address) would be
like asking for my currently secure servers to get used as spamming
machines by remote attackers. So I utterly refuse to open my servers
up. So again, there are legitimate reasons for spoofed e-mail. Then
add to it the fact that any or all three of the servers may send e-mail
from domain names not associated with the server's ptr records that too
may be considered spoofed depending on how the filter's are designed.
So this is why I really need to understand exactly how SPF is working so
I can see how to jump through this hoop and still get my e-mail through
to AOL and other ISPs that decide to use this filter method.
There is also the problem that I can't administer the Network
(subnet) on the reidschool.com domain. Thus I can't keep these people
safe at all. I run a very strict firewall/proxy server to help
alleviate the fact that I can't do anything (I don't even have keys to
that building) to really to secure that whole network. I order for my
boss to send e-mail (she works at that building, though usually she has
me send her e-mail anyway) I have to have that proxy server send out as
an SMTP server if needed though rare. But again, she is using an
xmission.com e-mail address, or she will use an ecri.cc [her main
business name] address if I ever get her to switch, but she is on a
reidschool.com network.
Then there is the web servers for all seven domain names.
Scripting for sending of e-mail is possible and may one day occure.
Currently only www.reidschool.com has any scripting in place that may
send notifications of updates to parents of children attending that
school [if they subscribe]. Right now that script is completely turned
off, but in preparing for the future, I want to be sure my e-mail can
get though to those parents that sign up for such a notification
system. And unfortunatly statistcs show that half or more of those
parents are going to be using AOL and even more that use other large
ISPs e-mail addresses. So I have to deal with being able to get my
outgoing e-mail through into these obnoxious ISPs for delivery to these
people for any and or all of my domain names coming out of any or all of
the three servers I run.
I really don't worry so much about people spoofing my e-mail. I
can show it wasn't my server should anyone try to accuse these
companies. So far, I have only had one incident that someone spoofed a
webmaster@domain.com address that we don't even use. Since I am the
webmaster, it ticked me off that day. Yes, that was annoying but I
disabled the "webmaster" e-mail address and all other RFCC compliant
adressresses, and said "I don't give a damm about the RFCC specs" if
people are going to spoof an e-mail address that isn't even used.
Anyone wanting to get ahold of me as the webmaster, can find a valid
company e-mail address on any of our web pages.
As for ever using SPF to filter incoming e-mail I would never
need to do that. The best way to control spam is to prosecute the
spammers. And since I give out seperate e-mail address, I will know
who either spammed me, or sold my name to spammers therefore aiding and
abetting criminals. AND I WILL PROSECUTE THEM!!!
Thus, over the past year since I started this proces, I have
reduced the spam to next to nothing. Mainly only to list servers like
this one where the e-mail address may be harvestable but certaily going
to unknown destinations and to the standard 20 or so RFCC e-mail address
per domiain, wich I recetnly got rid of anyway. It seems to me this way
is better than any filter, because all other filters will block
improtant e-mail as much or more commonly (percentage wise) as it blocks
spam.
I understand that most people CAN'T do it the way I do. The
ulitmate best way to avoid "spoofing" issues in particluar is to change
the SMTP protocol and add a in so the receiving SMTP server does a quick
check asking if the reply-to e-mail addrss and the retrun path are valid
e-mail addresses with a quick question and response method on the
protocol level. I.E. send one packet to each server authoritative for
the reply-to domain and to and return-path domain and receive one packet
back from each saying valid or invalid. Hardly any bandwitdh would be
needed and this would reduce the vast majority of current spam that runs
with spoofed addresses, without blocking the valid use of spoofed messages.
But, I still have to deal with ISPs that simply refuse e-mail
because I don't have the time or money to pay some ISP for e-mail
addresses, and remote connections to their e-mail servers, and
colocating our servers and all the other headaches. In fact, when it
comes to it I really don't understand how small businesses exist on the
web or communcate through e-mail anymore because they are so
descriminated against just because of spammers.
So down't to my real concern and questions: What exactly does
SPF do for the ISP that implements it. Exactly how does it work so I
can get my e-mail through reliably whether I have to spoof or not.
And, if I should setup these records, what are all the syntax structers
that are possible and what do they mean. For me it would be a lot
esaier to read technical information such as syntax structures than
figure out silly questions in a Wizard, since my situation isn't very
typical.
Thank's again for all your help. I appoligize if this sounded
like a rant.
Sincerly,
Nathan Tyler
"Computer Do All" for several small businesses.
First, thank you Frank Ellermann and Steve Yates for the nice
responses. (Steve Yates? I know that name from somewhere. Do you
publish computer information [i.e. news, reviews, or tech info]
online?) [.Here's hoping you will continue to help even though I know
this is a long e-mail. I appoligize if this sounds like a rant.]
Well, I spent a few more minutes Friday night before going home
reading more of the SPF site and other things and figured some things
out, but still had concerns upon leaving. I let my mind get nice and
distracted on other things (thank goodness) so I didn't have to worry
about this over the weekend. But, its Monday and back to work and back
to the figuring this all out.
One thing I found out before leaving Friday night was that I can
add TXT records to my DNS on ZoneEdit. Thus, I realized that the
"Wizard" is just preparing a string for TXT records that I would put in
there. And it makes me think I don't even need to use a Wizard.
Instead of responding to the questions and responses individually
I decided to send to the list group again. Figuring anyone (except the
newest of comers) will have Frank's and Steve's responses to my initial
questions if reference is needed. And some of the things I can just
leave out because I realized some of my own stupidity.
Thank you Frank for the simple response. These TXT examples may
be almost exactly what I need, except I might need to understand the
technical info or the "Syntax" to make sure what I am doing is exactly
correct. From reading these responses and looking at it it appears
that the TXT record need to be in a specific syntax that starts
"v=spf1". Is there any documentation (I admit haven't searched yet) on
the Syntax of these records so I know what all the possibilities are and
how I should actually set mine up. A good technical reference or
technical manual is always better than a Wizard for me.
But, Steve's response raises some more questions about this whole
SPF thing.
From the reading I have done I am still trying to decide if SPF
is a good thing for me or not. It seems a little better than what most
ISPs are doing right now, but doesn't necessarily look good for my
business neither in the filtering incoming e-mail nor in the sending e-mail.
While working with AOL it has come to my attention that AOL is
not only blocking all e-mail from dynamic IP addresses (causing me to
have to switch ISPs and pay hundreds per month for static IP addresses)
of which there is only about three ISPs (of the hundreds of ISPs) in the
Salt Lake valley that even offer "static" IP addresses and at huge extra
monthly prices. Then AOL was blocking anything without reverse DNS set
to the correct HELO server name, so I was lucky I got an ISP now that
will do reverse DNS on those IP addresses set to my domain names and
HELO message. But, more recently AOL has decided they are going to
block ALL spoofed e-mail. Now here is a problem, sometimes "spoofing"
e-mail is absolutely necessary and legitimate. unfortunately it sounds
as though in order to stop spammers some companies have decided all
"spoofed" e-mail is bad.
So I have already had to jump though hundreds of hoops with AOL
and other big companies just to get the few e-mail messages that I need
to send to customers (typically no more than three messages per month)
and some employees that use these stupid ISPs, and now I am thinking I
need to jump though this SPF hoop too as well. Or maybe I don't.
It sounds like SPF is a way to limit what can be spoofed and what
can't. This in itself seems much better to me than AOL's current way of
blocking all spoofed e-mail But, it sounds like AOL is going to block
anything that doesn't have SPF records, and, if I have SPF records I
still may not be able to spoof when needed. So what do I do.
Here is the quandary. Right now my boss uses the e-mail address
she has been using for nearly a decade for the main businesses e-mail
address (published all over). It is an xmission.com address. However,
I can't send my e-mail though xmission.com 1) we no longer even use
xmission as an ISP so don't connect to xmssion.com 2) myself and
several other employees use our business e-mail addresses for different
domain names based one who we are commenting with and I can't send those
through xmission.com (or they would be spoofed the other way). Thus, to
continue to use the e-mail address my boss has published all over and in
hundreds of thousands of printed documents not to mention that hundreds
of web sites, portals, and contacts that she has given her e-mail
address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
address gets tons of spam still and most of that xmission filters which
means we often miss important e-mail messages too.]
Friday, when I was absolutely sure there is no other work around
(As AOL even blocks a "spoofed" reply-to address), I told my boss that
she will need to lose this e-mail address because of the spoofing
issues. But, I doubt very much at 78 years old she will go for my
opinions or expertise.
Then when it comes to other domains, again I might be sending out
a gbesco.com e-mail from the reidschool.com domain or vice versa. Any
and or all of our domain names might send out e-mail from any or all of
our three servers on the two specific subnets. These could present
spoofing issues just within our companies. [.It's not my fault my bosses
run several small businesses and several domain names on these two
location silly little networks.]
Now, there are other spoofing problems too. For instance on
occasion, I send business related e-mail's from home using my home ISPs
e-mail server. My work servers are so tight that I can't allow an
incoming connection to anyone not on the LAN to send e-mail from it. To
unsecure my mail servers (as I use dynamic IP address at home because I
can't afford $350 per month at home for a static IP address) would be
like asking for my currently secure servers to get used as spamming
machines by remote attackers. So I utterly refuse to open my servers
up. So again, there are legitimate reasons for spoofed e-mail. Then
add to it the fact that any or all three of the servers may send e-mail
from domain names not associated with the server's ptr records that too
may be considered spoofed depending on how the filter's are designed.
So this is why I really need to understand exactly how SPF is working so
I can see how to jump through this hoop and still get my e-mail through
to AOL and other ISPs that decide to use this filter method.
There is also the problem that I can't administer the Network
(subnet) on the reidschool.com domain. Thus I can't keep these people
safe at all. I run a very strict firewall/proxy server to help
alleviate the fact that I can't do anything (I don't even have keys to
that building) to really to secure that whole network. I order for my
boss to send e-mail (she works at that building, though usually she has
me send her e-mail anyway) I have to have that proxy server send out as
an SMTP server if needed though rare. But again, she is using an
xmission.com e-mail address, or she will use an ecri.cc [her main
business name] address if I ever get her to switch, but she is on a
reidschool.com network.
Then there is the web servers for all seven domain names.
Scripting for sending of e-mail is possible and may one day occure.
Currently only www.reidschool.com has any scripting in place that may
send notifications of updates to parents of children attending that
school [if they subscribe]. Right now that script is completely turned
off, but in preparing for the future, I want to be sure my e-mail can
get though to those parents that sign up for such a notification
system. And unfortunatly statistcs show that half or more of those
parents are going to be using AOL and even more that use other large
ISPs e-mail addresses. So I have to deal with being able to get my
outgoing e-mail through into these obnoxious ISPs for delivery to these
people for any and or all of my domain names coming out of any or all of
the three servers I run.
I really don't worry so much about people spoofing my e-mail. I
can show it wasn't my server should anyone try to accuse these
companies. So far, I have only had one incident that someone spoofed a
webmaster@domain.com address that we don't even use. Since I am the
webmaster, it ticked me off that day. Yes, that was annoying but I
disabled the "webmaster" e-mail address and all other RFCC compliant
adressresses, and said "I don't give a damm about the RFCC specs" if
people are going to spoof an e-mail address that isn't even used.
Anyone wanting to get ahold of me as the webmaster, can find a valid
company e-mail address on any of our web pages.
As for ever using SPF to filter incoming e-mail I would never
need to do that. The best way to control spam is to prosecute the
spammers. And since I give out seperate e-mail address, I will know
who either spammed me, or sold my name to spammers therefore aiding and
abetting criminals. AND I WILL PROSECUTE THEM!!!
Thus, over the past year since I started this proces, I have
reduced the spam to next to nothing. Mainly only to list servers like
this one where the e-mail address may be harvestable but certaily going
to unknown destinations and to the standard 20 or so RFCC e-mail address
per domiain, wich I recetnly got rid of anyway. It seems to me this way
is better than any filter, because all other filters will block
improtant e-mail as much or more commonly (percentage wise) as it blocks
spam.
I understand that most people CAN'T do it the way I do. The
ulitmate best way to avoid "spoofing" issues in particluar is to change
the SMTP protocol and add a in so the receiving SMTP server does a quick
check asking if the reply-to e-mail addrss and the retrun path are valid
e-mail addresses with a quick question and response method on the
protocol level. I.E. send one packet to each server authoritative for
the reply-to domain and to and return-path domain and receive one packet
back from each saying valid or invalid. Hardly any bandwitdh would be
needed and this would reduce the vast majority of current spam that runs
with spoofed addresses, without blocking the valid use of spoofed messages.
But, I still have to deal with ISPs that simply refuse e-mail
because I don't have the time or money to pay some ISP for e-mail
addresses, and remote connections to their e-mail servers, and
colocating our servers and all the other headaches. In fact, when it
comes to it I really don't understand how small businesses exist on the
web or communcate through e-mail anymore because they are so
descriminated against just because of spammers.
So down't to my real concern and questions: What exactly does
SPF do for the ISP that implements it. Exactly how does it work so I
can get my e-mail through reliably whether I have to spoof or not.
And, if I should setup these records, what are all the syntax structers
that are possible and what do they mean. For me it would be a lot
esaier to read technical information such as syntax structures than
figure out silly questions in a Wizard, since my situation isn't very
typical.
Thank's again for all your help. I appoligize if this sounded
like a rant.
Sincerly,
Nathan Tyler
"Computer Do All" for several small businesses.