Mailing List Archive

Ben Geerdes wrote on 6/12/2009 5:29:17 PM:

> geerdes.nl. IN TXT "v=spf1 a:smtp01.online.nl a:smtp02.online.nl
> a:smtp03.online.nl a:smtp04.online.nl a:smtp05.online.nl
a:smtp06.online.nl
> a:smtp07.online.nl a:smtp08.online.nl a:smtp09.online.nl
a:smtp10.online.nl

You left out the last line:

include:online.nl -all"

There are two problems I see. 1) there are more than 10 DNS
lookups so your record will fail, and 2) there is no TXT record for
online.nl so your record may fail (technically I think the TXT for
online.nl exists but is blank?...I may be wrong and that would be a Pass
but if it is blank then why include it?).

As for the rejection from spf-test@openspf.org, that will
*always* happen...the return message tells you the result. I don't
think you posted the full result, it should look like:

< teamits104.teamits.net #5.7.1 SMTP; 550 5.7.1
<spf-test@openspf.org>: Recipient address rejected: SPF Tests: Mail-From
Result="pass": Mail From="steve@teamits.com" HELO
name="teamits104.teamits.net" HELO Result="pass" Remote
IP="204.200.197.197">


-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- To disarm detonator, cut the red wire. But first, cut the blue one.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Ok this the full record:

geerdes.nl IN TXT v=spf1 a:smtp01.online.nl a:smtp02.online.nl a:smtp03.online.nl a:smtp04.online.nl a:smtp05.online.nl a:smtp06.online.nl a:smtp07.online.nl a:smtp08.online.nl a:smtp09.online.nl a:smtp10.online.nl include:online.nl -all

and the full message from spf-test@openspf.org is:

Your message did not reach some or all of the intended recipients.

Subject:

The following recipient(s) cannot be reached:

spf-test@openspf.org on 13-6-2009 0:11
mailout02.controlledmail.com: Failed (550 5.7.1 <spf-test@openspf.org>: Recipient address rejected: SPF Tests: Mail-From Result)

so that is the full result. Maybe because my ISP's smtp server get's the actual result, but does not sent that to me?



so I can remove the include.

Len Mills suggested to use ip4, so I pinged all the smtp servers and came up with this, would that solve the problem?

v=spf1 ip4:194.134.41.21 ip4:194.134.41.31 ip4:194.134.41.32 ip4:194.134.41.33 ip4:194.134.41.34 ip4:194.134.41.35 ip4:194.134.42.51 ip4:194.134.42.52 ip4:194.134.42.53 ip4:194.134.42.54 ip4:194.134.42.55 -all


-----Original Message-----
From: Steve Yates [mailto:steve@teamITS.com]
Sent: zaterdag 13 juni 2009 0:58
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] getting my spf record correctly

Ben Geerdes wrote on 6/12/2009 5:29:17 PM:

> geerdes.nl. IN TXT "v=spf1 a:smtp01.online.nl a:smtp02.online.nl
> a:smtp03.online.nl a:smtp04.online.nl a:smtp05.online.nl
a:smtp06.online.nl
> a:smtp07.online.nl a:smtp08.online.nl a:smtp09.online.nl
a:smtp10.online.nl

You left out the last line:

include:online.nl -all"

There are two problems I see. 1) there are more than 10 DNS
lookups so your record will fail, and 2) there is no TXT record for
online.nl so your record may fail (technically I think the TXT for
online.nl exists but is blank?...I may be wrong and that would be a Pass
but if it is blank then why include it?).

As for the rejection from spf-test@openspf.org, that will
*always* happen...the return message tells you the result. I don't
think you posted the full result, it should look like:

< teamits104.teamits.net #5.7.1 SMTP; 550 5.7.1
<spf-test@openspf.org>: Recipient address rejected: SPF Tests: Mail-From
Result="pass": Mail From="steve@teamits.com" HELO
name="teamits104.teamits.net" HELO Result="pass" Remote
IP="204.200.197.197">


-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- To disarm detonator, cut the red wire. But first, cut the blue one.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.66/2172 - Release Date: 06/12/09 17:56:00




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Ben Geerdes wrote on 6/12/2009 6:22:13 PM:

> spf-test@openspf.org on 13-6-2009 0:11
> mailout02.controlledmail.com: Failed (550 5.7.1
<spf-test@openspf.org>:
> Recipient address rejected: SPF Tests: Mail-From Result)
>
> so that is the full result. Maybe because my ISP's smtp server get's
the actual
> result, but does not sent that to me?

Sounds like it. It should read:

Mail-From Result=....

...and the part after the "=" tells you if it passes or fails.
(http://www.openspf.org/Tools...I added an example)

> Len Mills suggested to use ip4,

That will remove all the DNS lookups and is generally preferred,
however, you will need to update your SPF record if any of those IPs
change.

*If* online.nl set up an SPF record for their customers to use,
for example as "include:outbound.online.nl" then you could simply
include that and let them maintain their own list.


-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- MAFIA.SYS Not Found -- Program Not Executed.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Ben Geerdes wrote:
> Len Mills suggested to use ip4, so I pinged all the smtp servers and came up with this, would that solve the problem?
>
> v=spf1 ip4:194.134.41.21 ip4:194.134.41.31 ip4:194.134.41.32 ip4:194.134.41.33 ip4:194.134.41.34 ip4:194.134.41.35 ip4:194.134.42.51 ip4:194.134.42.52 ip4:194.134.42.53 ip4:194.134.42.54 ip4:194.134.42.55 -all

Matching the IP address directly is certainly easier for receivers of
you mail than looking up all names.

You may abbreviate some of that stuff. For example, the range
194.134.41.32 - 194.134.41.35 has the first 28 bits fixed while the
remaining 4 bits take every possible value; thus, it may be written in
CIDR notation as 194.134.41.32/28.

Really, setting up that stuff should be done by the same staff who
maintains the rest of their DNS: you should prompt your provider to
provide a record for inclusion, as Steve suggested.

Otherwise, you may achieve a somewhat more stable (albeit less strict)
SPF record by including all the block allocated to ONLINE-MAIL-SERVERS
by the RIPE: 194.134.41.0 - 194.134.41.127. Again, use CIDR notation
to include it in compact form, i.e. ip4:194.134.41.0/25.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

I think I have it working now.
ONLINE is one of the largest providers in the Netherlands so you would expect
that they have enough staff and knowhow to manage their network, it's my experience that they
are not very capable. Maybe it's because they are so big ... Calling their support line
you pay per minute. Mail they hardly answer. I called them several times once because I was
getting mail rejected because one of their mail servers was on a blacklist. They had no idea
what I was talking about. Took them days before they solved that problem.
Requesting them to get a proper SPF record....don't think that really works.
The problem is that you mail their first line support people, they would have no idea what
a SPF record is....


Thanks for al the help

Ben


-----Original Message-----
From: Alessandro Vesely [mailto:vesely@tana.it]
Sent: zaterdag 13 juni 2009 13:26
To: ben@geerdes.nl
Cc: spf-help@v2.listbox.com
Subject: Re: [spf-help] getting my spf record correctly

Ben Geerdes wrote:
> Len Mills suggested to use ip4, so I pinged all the smtp servers and came up with this, would that solve the problem?
>
> v=spf1 ip4:194.134.41.21 ip4:194.134.41.31 ip4:194.134.41.32 ip4:194.134.41.33 ip4:194.134.41.34 ip4:194.134.41.35 ip4:194.134.42.51 ip4:194.134.42.52 ip4:194.134.42.53 ip4:194.134.42.54 ip4:194.134.42.55 -all

Matching the IP address directly is certainly easier for receivers of
you mail than looking up all names.

You may abbreviate some of that stuff. For example, the range
194.134.41.32 - 194.134.41.35 has the first 28 bits fixed while the
remaining 4 bits take every possible value; thus, it may be written in
CIDR notation as 194.134.41.32/28.

Really, setting up that stuff should be done by the same staff who
maintains the rest of their DNS: you should prompt your provider to
provide a record for inclusion, as Steve suggested.

Otherwise, you may achieve a somewhat more stable (albeit less strict)
SPF record by including all the block allocated to ONLINE-MAIL-SERVERS
by the RIPE: 194.134.41.0 - 194.134.41.127. Again, use CIDR notation
to include it in compact form, i.e. ip4:194.134.41.0/25.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.67/2173 - Release Date: 06/13/09 05:53:00




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com