Mailing List Archive

Hi!

On Thu, Jul 31, 2008 at 06:14:02PM +0530, Susheel - WorldIndia.com wrote:
>Am facing a backscatter problem with a couple of domain names and was
>advised to publish a SPF record to avoid it. I then added the below record
>to the DNS for the domain as

>v=spf1 ip4:208.115.38.99 mx ~all

>Now even after additing this, my email server (Merak) is still accepting
>those backscatters (unsolicated bounce backs). Can you please help me to
>understand if i am wrong somewhere?

The SPF record won't make *your* mail server reject backscatter. It
would make *part* of the *other* mail servers reject faked mails
allegedly from your domain, reducing backscatter somewhat. But it would
rather do that if you published a -all instead of a ~all policy (if you
can be sure that your legitimate mail will pass by your policy, i.e. be
either from the given IP or from any of the MX's IPs).

If your control your outgoing mail enough so you can be assured to
fulfill the criteria for SES or self-signed SRS, you could use that to
reject backscatter (all mail from the empty envelope sender to any
*non-signed* recipient or recipients with invalid/stale signature in
your domain).

Kind regards,

Hannah.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Hi Hannah,

Can you please clarify if i should perform the below actions?

For e.g. i have a domain abc.com which has a MX record as spam.xyz.com and
this MX record just receives email. abc.com sends email through different
IPs. In this case the SPF record on abc.com should be:

v=spf1 ip4:208.115.38.99 mx ~all

Do i need to add a SPF record in xyz.com as well?

spam.xyz.com. IN TXT "v=spf1 a -all"

Is this necessary? Also can you clarify if the difference of -all and ~all ?

Regards,

Susheel



----- Original Message -----
From: "Hannah Schroeter" <hannah@schlund.de>
To: <spf-help@v2.listbox.com>
Sent: Thursday, July 31, 2008 7:27 PM
Subject: Re: [spf-help] SPF record addition to reject backscatters


> Hi!
>
> On Thu, Jul 31, 2008 at 06:14:02PM +0530, Susheel - WorldIndia.com wrote:
>>Am facing a backscatter problem with a couple of domain names and was
>>advised to publish a SPF record to avoid it. I then added the below record
>>to the DNS for the domain as
>
>>v=spf1 ip4:208.115.38.99 mx ~all
>
>>Now even after additing this, my email server (Merak) is still accepting
>>those backscatters (unsolicated bounce backs). Can you please help me to
>>understand if i am wrong somewhere?
>
> The SPF record won't make *your* mail server reject backscatter. It
> would make *part* of the *other* mail servers reject faked mails
> allegedly from your domain, reducing backscatter somewhat. But it would
> rather do that if you published a -all instead of a ~all policy (if you
> can be sure that your legitimate mail will pass by your policy, i.e. be
> either from the given IP or from any of the MX's IPs).
>
> If your control your outgoing mail enough so you can be assured to
> fulfill the criteria for SES or self-signed SRS, you could use that to
> reject backscatter (all mail from the empty envelope sender to any
> *non-signed* recipient or recipients with invalid/stale signature in
> your domain).
>
> Kind regards,
>
> Hannah.
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Hi!

On Thu, Jul 31, 2008 at 07:56:12PM +0530, Susheel - WorldIndia.com wrote:
>Can you please clarify if i should perform the below actions?

>For e.g. i have a domain abc.com which has a MX record as spam.xyz.com and
>this MX record just receives email. abc.com sends email through different
>IPs. In this case the SPF record on abc.com should be:

>v=spf1 ip4:208.115.38.99 mx ~all

The SPF record for xyz.com should tell where mails with envelope senders
X@xyz.com *originate*. If the MX hosts do not *originate* mails too,
there's no need for the mx mechanism to appear. Then, the record would
be v=spf1 ip4:... (repeat as necessary) -all.

>Do i need to add a SPF record in xyz.com as well?

>spam.xyz.com. IN TXT "v=spf1 a -all"

If there are no emails ever sent with envelope sender X@spam.xyz.com,
you can setup the record as v=spf1 -all

No need to allow *any* IP then for *that* subdomain. Dito for any other
subdomains of xyz.com that shouldn't appear in envelope senders of
mails.

>Is this necessary? Also can you clarify if the difference of -all and ~all ?

See section 2.5.4 and 2.5.5 of RFC 4408 for details. -all causes a Fail
result for all mails that do not match any preceding entries, while ~all
causes a *SoftFail* result.

Fail says the client is *not* authorized to use the domain xyz.com,
period. For SoftFail, the RFC says:
A "SoftFail" result should be treated as somewhere between a "Fail"
and a "Neutral". The domain believes the host is not authorized but
is not willing to make that strong of a statement. Receiving
software SHOULD NOT reject the message based solely on this result,
but MAY subject the message to closer scrutiny than normal.

It's a somewhat "cowardly" statement: You aren't completely sure whether
mails that do not match previous entries are really illegitimate. You
have a tendency that they are usually not legitimate, but you're not
completely sure whether all your roaming domain users really use VPNs or
your mail submission agent (e.g. using the MSA port), or whatever
mechanism to ensure that *all* legitimate mails originate from the
designated hosts.

If you can be 100% sure that all your legitimate mails from xyz.com are
sent from the specified IPs, use -all. Use ~all only if you can't be
sure and rather want to permit some illegitimate mail than forbid some
mail from your users that have not setup their roaming clients (laptops,
home offices, whatever) correctly. (With -all, you'd force them to fix
their setups instead.)

Kind regards,

Hannah.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com