Neil Gunton wrote:
> Andrew Culver wrote:
>> Does it? Look at the Return-path: header to see the SMTP MAIL FROM
>> address that they used. SPF looks at this, not the From: header which
>> your mail client displays.
>
> Ok, for example I have an email from paypal which is a notification of a
> payment to me. It is "From" the person who sent the payment, but the
> Return-path header is payment@paypal.com. So if I sent someone a payment
> via paypal, and my SPF has either ~all or -all, how would one or the
> other affect the recipient getting the ensuing notification email from
> paypal, assuming the recipient's email provider checks SPF?
The Return-path header is indicating what the SMTP MAIL FROM address
was. This is what SPF recipients look at. In this case, receivers would
look at the SPF record of paypal.com, not your domain. Paypal is doing
it right. (See Marc's thread for how someone in Paypal's situation could
do things wrong.)
>> Another problem you may run into is forwarding by other hosts. Suppose
>> user@yourhost sends mail to user@forwarder who then forwards to
>> user@target. If the @target mail server is doing SPF checking and the
>> @forwarder mail server is not performing address rewriting (SRS), then
>> the @target mail server will see mail coming from the @forwarding mail
>> server with @yourhost in the SMTP MAIL FROM. This is a problem of the
>> forwarder (to implement SRS) or the target (to whitelist the
>> forwarder)... but users may complain to you all the same. This is
>> where testing with ~all can be useful.
>
> Ok, so I'm not sure where that leaves me with regard to what to put in
> my SPF record, since obviously (well, presumably, since you brought it
> up) this scenario could happen any time, with any of my users. So what
> to do?
>
> Sorry, this just seems a bit confusing because people are telling me to
> "test", but I can't predict what situations or people I will be dealing
> with in the future.
>
> I can already tell that, narrowly speaking for my own simple case of
> dealing with sending emails to gmail and Yahoo!, that even -all works
> fine. But I don't know how you test for all possible (unknown) future
> situations to determine which form to use for all, like that forwarder
> scenario above, or mailing lists or whatever.
>
> Any advice on how to do this?
In the case of forwarders and mailing lists, this likely wouldn't change
your SPF record if you ran into problems. The problem would be with the
forwarder or mailing list operators to fix, since it's their problem.
Using ?all for a few weeks may help to identify these cases. By using
?all, messages may end up in a user's Spam folder rather than being
rejected. At least the recipient would still get the message and
hopefully alert you of the problem. You could then correct it or contact
the person responsible for correcting the problem before switching to -all.
You could also just set a low TTL (5 minutes) on your SPF record and set
it to -all. If you see any bounces that you don't expect, you can back
out with minimal impact. Don't forget to up the TTL when you're done
testing.
Andrew
> Thanks,
>
> Neil
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
> Modify Your Subscription:
> https://www.listbox.com/member/?&
>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202151028:3528C9C6-FE50-11DF-AC05-BE75F559ED1D
>
> Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202152037:96515B86-FE51-11DF-B875-D5295E46B21E
Powered by Listbox: http://www.listbox.com
> Andrew Culver wrote:
>> Does it? Look at the Return-path: header to see the SMTP MAIL FROM
>> address that they used. SPF looks at this, not the From: header which
>> your mail client displays.
>
> Ok, for example I have an email from paypal which is a notification of a
> payment to me. It is "From" the person who sent the payment, but the
> Return-path header is payment@paypal.com. So if I sent someone a payment
> via paypal, and my SPF has either ~all or -all, how would one or the
> other affect the recipient getting the ensuing notification email from
> paypal, assuming the recipient's email provider checks SPF?
The Return-path header is indicating what the SMTP MAIL FROM address
was. This is what SPF recipients look at. In this case, receivers would
look at the SPF record of paypal.com, not your domain. Paypal is doing
it right. (See Marc's thread for how someone in Paypal's situation could
do things wrong.)
>> Another problem you may run into is forwarding by other hosts. Suppose
>> user@yourhost sends mail to user@forwarder who then forwards to
>> user@target. If the @target mail server is doing SPF checking and the
>> @forwarder mail server is not performing address rewriting (SRS), then
>> the @target mail server will see mail coming from the @forwarding mail
>> server with @yourhost in the SMTP MAIL FROM. This is a problem of the
>> forwarder (to implement SRS) or the target (to whitelist the
>> forwarder)... but users may complain to you all the same. This is
>> where testing with ~all can be useful.
>
> Ok, so I'm not sure where that leaves me with regard to what to put in
> my SPF record, since obviously (well, presumably, since you brought it
> up) this scenario could happen any time, with any of my users. So what
> to do?
>
> Sorry, this just seems a bit confusing because people are telling me to
> "test", but I can't predict what situations or people I will be dealing
> with in the future.
>
> I can already tell that, narrowly speaking for my own simple case of
> dealing with sending emails to gmail and Yahoo!, that even -all works
> fine. But I don't know how you test for all possible (unknown) future
> situations to determine which form to use for all, like that forwarder
> scenario above, or mailing lists or whatever.
>
> Any advice on how to do this?
In the case of forwarders and mailing lists, this likely wouldn't change
your SPF record if you ran into problems. The problem would be with the
forwarder or mailing list operators to fix, since it's their problem.
Using ?all for a few weeks may help to identify these cases. By using
?all, messages may end up in a user's Spam folder rather than being
rejected. At least the recipient would still get the message and
hopefully alert you of the problem. You could then correct it or contact
the person responsible for correcting the problem before switching to -all.
You could also just set a low TTL (5 minutes) on your SPF record and set
it to -all. If you see any bounces that you don't expect, you can back
out with minimal impact. Don't forget to up the TTL when you're done
testing.
Andrew
> Thanks,
>
> Neil
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
> Modify Your Subscription:
> https://www.listbox.com/member/?&
>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202151028:3528C9C6-FE50-11DF-AC05-BE75F559ED1D
>
> Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202152037:96515B86-FE51-11DF-B875-D5295E46B21E
Powered by Listbox: http://www.listbox.com