Mailing List Archive

> The current SPF record I have is:
> "v=spf1 ip4:64.13.223.0/24 a mx a:gmail.com include:telus.net ?all"

This isn't right...

64.13.223.0/24 is 256 addresses. It's unlikely you're sending from all
those boxes. What problem are you trying to solve with that?

The "a" and "mx" clauses are comparatively harmless, but probably aren't
what you're after. Do you send mail directly (i.e. not via an outbound
SMTP server) to recipients from the box that serves the main domain? If
you don't, you don't want the "a" bit in there. Your MX record (for the
domain from which you sent your email) seems to list only gmail servers -
so you probably don't want that in there either.

The "a:gmail.com" bit doesn't help; if you're trying to authorise gmail
servers, you should use "include:_spf.google.com" (according to Google's
page at http://www.google.com/support/a/bin/answer.py?answer=178723 ). But
you might not want to declare anything coming from Google as "positively
authorised"; gmail has a lot of users. I don't know how well Google does
anti-spoofing internally.

The same comment applies to telus.net; there are a lot of people on that
ISP, and I'm pretty sure it's easy to spoof from there.

Lastly, the "?all" default says to treat as unknown anything that hasn't
already been matched - so the record is somewhat ineffective :-(

My ***guess*** at your correct record - and I can do no more than guess
without knowing more about your setup - would be something like :-

v=spf1 ?include:_spf.google.com ?include:telus.net ~all

until you're sure it correct, then change that to

v=spf1 ?include:_spf.google.com ?include:telus.net -all

...But that might be wrong.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e
Powered by Listbox: http://www.listbox.com

The record that is in place is the result of my foolhardy attempt with the SPF Setup Wizard (http://old.openspf.org/wizard.html).


On 2010-08-31, at 9:24 AM, Vic wrote:

>
>> The current SPF record I have is:
>> "v=spf1 ip4:64.13.223.0/24 a mx a:gmail.com include:telus.net ?all"
>
> This isn't right...
>
> 64.13.223.0/24 is 256 addresses. It's unlikely you're sending from all
> those boxes. What problem are you trying to solve with that?
>
> The "a" and "mx" clauses are comparatively harmless, but probably aren't
> what you're after. Do you send mail directly (i.e. not via an outbound
> SMTP server) to recipients from the box that serves the main domain? If
> you don't, you don't want the "a" bit in there. Your MX record (for the
> domain from which you sent your email) seems to list only gmail servers -
> so you probably don't want that in there either.
>
> The "a:gmail.com" bit doesn't help; if you're trying to authorise gmail
> servers, you should use "include:_spf.google.com" (according to Google's
> page at http://www.google.com/support/a/bin/answer.py?answer=178723 ). But
> you might not want to declare anything coming from Google as "positively
> authorised"; gmail has a lot of users. I don't know how well Google does
> anti-spoofing internally.
>
> The same comment applies to telus.net; there are a lot of people on that
> ISP, and I'm pretty sure it's easy to spoof from there.
>
> Lastly, the "?all" default says to treat as unknown anything that hasn't
> already been matched - so the record is somewhat ineffective :-(

Thank for the explanation - I really do appreciate that feedback.

As for the setup, I do have webform confirmation messages that get sent from my web server itself (64.13.223.66).

My office computer is a laptop, and as such I do have several potential connections points (various ISPs). But my home and office are both on the Telus network, but in each case, the SMTP setting routes through gMail (overriding the ISPs default).

>
> My ***guess*** at your correct record - and I can do no more than guess
> without knowing more about your setup - would be something like :-
>
> v=spf1 ?include:_spf.google.com ?include:telus.net ~all
>
> until you're sure it correct, then change that to
>
> v=spf1 ?include:_spf.google.com ?include:telus.net -all
>
> ...But that might be wrong.

Could you also recommend the best way to verify the spf is setup correctly? Is there a free (hopefully) service out there that does this?

/greg

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e
Powered by Listbox: http://www.listbox.com

> As for the setup, I do have webform confirmation messages that get sent
> from my web server itself (64.13.223.66).

OK - add in the "ip4:64.13.223.66" clause. That's better than "a" because
it reduces the number of DNS lookups required. But it fails if your server
should change IP address, so keep an eye on that.

> but in each case, the SMTP setting routes through gMail
> (overriding the ISPs default).

In that case, throw away the telus part of the record - if you're routing
everything through gmail, there's no need to permit any connections from
Telus customers.

> Could you also recommend the best way to verify the spf is setup
> correctly? Is there a free (hopefully) service out there that does this?

There are a number of tests you can do.

Prior to committing too much to DNS, you can use Scott's test form at
http://www.kitterman.com/spf/validate.html . If you want to test a record
in place, send an email - which will always be rejected - to
spf-test@openspf.org . Have a look at the bounce from that, and you'll see
what happened to your SPF test.

HTH

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e
Powered by Listbox: http://www.listbox.com

>
>Could you also recommend the best way to verify the spf is setup correctly? Is there a free (hopefully) service out there that does this?

cant really be done all you can do is test different ips against the record and see if they pass /fail

if ones you expect to pass fail or vice versa its a mistake

spf is about policy an spf of

v=spf1 a:gmail.com -all

is syntactically valid and thus valid to any/all testing tools
it just dosn't do what is expected by the writer

{it allowes the ips used by the redirectors{webservers} of http://gmail.com to send mail, unfortunatly they will never try {pass} and they do not include any of the ips gmail would really try sending mail from, but no automated tester can know that}

this is why the syntax is so simple to ensure a human can debug it, and write it without the aid of machinery

if you only send from your server and gmail
{as you say you do not send by your isps servers so no point including them}

then your spf should be
x.x.x.x is the ip of your server
"v=spf1 ip4:x.x.x.x include:_spf.google.com ?all"

will give a pass for all mail from google and your server {?all should be changed to ~all or -all when testing complete}

first as to include:_spf.google.com vs ?include:_spf.google.com
both work on means you and all other google users forging your domain pass
second means you and all other google users forging your domain don't fail {but equally don't pass}

now as google insit that to send from x@y they have to do a confirmation loop to ensure you are permitted i'd go with option 1

but as google also allows you to smtp auth to any proper mta out there I'd setup my users to smtp auth against my own server to send
and thus have v=spf1 ip4:x.x.x.x -all

{i have any clients who use gmail as a web based pop3/smtp client for my servers, but would never actually send/receive via google}



>/greg
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e
Powered by Listbox: http://www.listbox.com