Mailing List Archive

How to set up spf for my client/server situation
Hi, I'm sorry if this turns out to be a stupid question, but I'm having
some trouble working out how to construct my spf record. Here's my setup:

I have a colo server in a datacenter, which has a single ip address. I
run several websites on this server, with multiple domains that each
host a website. Email can be sent from any of these domains, via the
local sendmail server, with 'neil' as the username and then the current
website domain as the tld for the email address. So for example one of
my sites is crazyguyonabike.com, so when I send a registration email
from that site, it is 'From' neil@crazyguyonabike.com. The reverse DNS
and mx for the ip address is spidey.nilspace.com.

I also send email through this server from my home computer, which is on
a cable or DSL connection. When I do this, sendmail always seems to
attach a "may be forged" header to my emails, and I can't seem to stop
that from happening - presumably it's because my emails are "from"
neil@nilspace.com, but my originating ip address does not resolve to
nilspace.com, but rather to the cable or DSL company. This isn't the
main issue, though.

The problem is that I find that sometimes my emails just don't get
through at all. In particular, I recently changed the registration
confirmations on crazyguyonabike.com to be 'From'
neil@crazyguyonabike.com, whereas previously they came 'From'
neil@nilspace.com. I wanted the address to match the domain the person
was registering on. However now I have had a couple of instances where
these confirmations just aren't getting through at all, and this is to
yahoo.com email accounts, which previously have been very reliable in
terms of delivery. The messages aren't in the spam folder, they just
never seem to get through at all. The weird thing is that emails from
neil@nilspace.com, sent from my home computer, do get through. So the
automated ones from the server don't get through, but ones from home do,
but they are both coming from the same email server. I'm wondering if
the spf record has something to do with it - maybe Yahoo! is seeing
something weird about an email claiming to be from crazyguyonabike.com,
but my spf doesn't mention that domain? Here's my current SPF record,
generated a while back from an online wizard:

"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"

Should I have more stuff in there related to my other domains, even
though they all resolve to the same IP address? How about my home
connection, do I need to have anything related to that in there?

Hope this makes sense, please let me know if you need more information...

Thanks!

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101130204417:81179282-FCEC-11DF-97DB-AC9BBAB6F015
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Neil Gunton wrote:
> Here's my current SPF record,
> generated a while back from an online wizard:
>
> "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"

Sorry, I just checked again and while that is the SPF record for
nilspace.com, there is a more basic record for crazyguyonabike.com, as
follows in my bind config:

TXT "v=spf1 a mx ptr ~all"

For nilspace.com, there are two lines:

TXT "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
SPF "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"

Could this be affecting delivery of messages coming 'from' different
domains on the same server (same ip address)?

Not sure if all this is even relevant, but I just have a feeling I'm not
doing this quite right... any insight welcomed.

Thanks again,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101130205349:DF73F338-FCED-11DF-8F60-5A9DF559ED1D
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
At 01:53 01/12/2010 Wednesday, Neil Gunton wrote:
>Neil Gunton wrote:
>>Here's my current SPF record, generated a while back from an online wizard:
>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>
>Sorry, I just checked again and while that is the SPF record for nilspace.com, there is a more basic record for crazyguyonabike.com, as follows in my bind config:
>
>TXT "v=spf1 a mx ptr ~all"
>
>For nilspace.com, there are two lines:
>
>TXT "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>SPF "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>
>Could this be affecting delivery of messages coming 'from' different domains on the same server (same ip address)?

yes either way both are broke see previous mail

use ip4 if you know the ip (you do)
use a if you know only the name (the ip changes)
never use mx
never ever use ptr

and always use in order of cost to reciever

ip4 then a then include: (and if you really have to then mx)



>Not sure if all this is even relevant, but I just have a feeling I'm not doing this quite right... any insight welcomed.
>
>Thanks again,
>
>Neil
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101130205349:DF73F338-FCED-11DF-8F60-5A9DF559ED1D
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101130223204:8FF6F69E-FCFB-11DF-8C0E-88C9C3A31EF1
Powered by Listbox: http://www.listbox.com
Re: Re: How to set up spf for my client/server situation [ In reply to ]
Ho ricevuto il messaggio. Sono in ferie fino al 16 dicembre, legger� il messaggio al mio rientro il 17 dicembre.
Per cose urgenti potete scrivere a info@biatwork.com, i miei colleghi prenderanno in carico la vostra email.

Cordiali saluti
Massimo Gregori





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101130223429:E6A31EF0-FCFB-11DF-8FB7-E02CC6F4DBAC
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
alan wrote:
> At 01:53 01/12/2010 Wednesday, Neil Gunton wrote:
>> Neil Gunton wrote:
>>> Here's my current SPF record, generated a while back from an online wizard:
>>> "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>> Sorry, I just checked again and while that is the SPF record for nilspace.com, there is a more basic record for crazyguyonabike.com, as follows in my bind config:
>>
>> TXT "v=spf1 a mx ptr ~all"
>>
>> For nilspace.com, there are two lines:
>>
>> TXT "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>> SPF "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>
>> Could this be affecting delivery of messages coming 'from' different domains on the same server (same ip address)?
>
> yes either way both are broke see previous mail

By "broke", do you mean my current entries might explain why my emails
aren't getting through to some email providers? I.e. because they look
for SPF records, and find mine, which are somehow messed up and make
them reject the email? Or just broke as in not doing anything useful?

> use ip4 if you know the ip (you do)
> use a if you know only the name (the ip changes)
> never use mx
> never ever use ptr
>
> and always use in order of cost to reciever
>
> ip4 then a then include: (and if you really have to then mx)

Ok, so do you mean I should just have the following for each domain:

"v=spf1 ip4:208.64.24.170 -all"

If so, should I have this in both a TXT and SPF entry for bind?

I just want to make this work so that my emails get delivered more
reliably, that's all. Is the above going to do it?

Thanks again,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101201011745:B71ED004-FD12-11DF-8EAD-274FF559ED1D
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
At 06:17 01/12/2010 Wednesday, Neil Gunton wrote:
>alan wrote:
>>At 01:53 01/12/2010 Wednesday, Neil Gunton wrote:
>>>Neil Gunton wrote:
>>>>Here's my current SPF record, generated a while back from an online wizard:
>>>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>>Sorry, I just checked again and while that is the SPF record for nilspace.com, there is a more basic record for crazyguyonabike.com, as follows in my bind config:
>>>
>>>TXT "v=spf1 a mx ptr ~all"
>>>
>>>For nilspace.com, there are two lines:
>>>
>>>TXT "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>>SPF "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>>
>>>Could this be affecting delivery of messages coming 'from' different domains on the same server (same ip address)?
>>yes either way both are broke see previous mail
>
>By "broke", do you mean my current entries might explain why my emails aren't getting through to some email providers? I.e. because they look for SPF records, and find mine, which are somehow messed up and make them reject the email? Or just broke as in not doing anything useful?

broke as in the first not the second, didn't you read my first reply which explained in detail
(resending in case)


>>use ip4 if you know the ip (you do)
>>use a if you know only the name (the ip changes)
>>never use mx
>>never ever use ptr
>>and always use in order of cost to reciever
>>ip4 then a then include: (and if you really have to then mx)
>
>Ok, so do you mean I should just have the following for each domain:
>
>"v=spf1 ip4:208.64.24.170 -all"

yes if your policy is -all (i would use ?all to test and then decide if i wanted ~all or -all once i has an understanding of the difference)


>If so, should I have this in both a TXT and SPF entry for bind?

yes TXT and SPF for both
(as all will see TXT , SPF is the new and future home for the records but not all can see SPF records yet, fewer can publish them, only supported in recent versions of bind on a few disributions)

>I just want to make this work so that my emails get delivered more reliably, that's all. Is the above going to do it?

spf will not ususlly fix deliverability issues (period)
broke spf (as in your case) will cause them.

as spf is how you tell the world 'its from me' or 'its a forger pretending to be me'
if it works they know its from you, they still don't know if they want mail from you
it it breaks it tells people its likely a forgery or a spammer (breaking SPF syntax to hope to slip past checks that 'fail-open' )


>Thanks again,
>
>Neil
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201011745:B71ED004-FD12-11DF-8EAD-274FF559ED1D
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101201050611:9E14A154-FD32-11DF-B8CA-FADDC5F4DBAC
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
ok questions dealt with in reverse order as its late and only the last approached an SPF issue

first off your SPF

"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"

utter bollix beyond useless and will get your mail dumped by any anti-spam system

starting from the fact you send all mail from one ip (spidey.nilspace.com)
should theirfore be
"v=spf1 ip4:208.64.24.170
then either ?all ~all or -all

and that is all
the a (waste of receivers resources as it will be the same ip
the mx (waste of receivers resources as it will be the same ip
the ptr (should never be used and will never match
the mx:spidey.nilspace.com (error breaking all as spidey.nilspace.com has no MX records
the +all (biggest mistake of all says "oh and we send from every ip in the world too" classic spammer and will get mail shot

now onto the rest

At 01:44 01/12/2010 Wednesday, Neil Gunton wrote:
>Hi, I'm sorry if this turns out to be a stupid question, but I'm having some trouble working out how to construct my spf record. Here's my setup:
>
>I have a colo server in a datacenter, which has a single ip address.

relavant

> I run several websites on this server, with multiple domains that each host a website. Email can be sent from any of these domains, via the local sendmail server, with 'neil' as the username and then the current website domain as the tld for the email address. So for example one of my sites is crazyguyonabike.com, so when I send a registration email from that site, it is 'From' neil@crazyguyonabike.com. The reverse DNS and mx for the ip address is spidey.nilspace.com.

irrelevant

ok assuming your sendmail greets [helo/ehlo] as spidey.nilspace.com.
first spf record should be for this domain (currently none)
as above it should only be for a helo/ehlo thus should terminate -all
v=spf1 ip4:208.64.24.170 -all

next neil@crazyguyonabike.com.
currently broken beyond belief
should be v=spf1 ip4:208.64.24.170 -/~/?all

-/~/? means pick one depending on the forgery handling policy you want receivers to follow

- means mail from any other ip should be considered spam/forged harshly HARDFAIL (breaks non-SRS forwarding to ISPs to sloppy to allow users to whitelist their own forwarders)
~ means to consider mail from any other ip to be probably spam (but not always) SOFTFAIL (survives more broken forwarding but also less strongly protects you from forgery)
? means consider mail that hasnt passed the spf test like you would mail with no SPF NEUTRAL (pointless but breaks less and forwarding and perfect for testing)

>I also send email through this server from my home computer, which is on a cable or DSL connection. When I do this, sendmail always seems to attach a "may be forged" header to my emails, and I can't seem to stop that from happening - presumably it's because my emails are "from" neil@nilspace.com, but my originating ip address does not resolve to nilspace.com, but rather to the cable or DSL company. This isn't the main issue, though.

pointless but nothing but sendmail being mis-configured
(you do send mail via an authenticated connection to port 587 (the mail submission port) I assume)
if so as long as sendmail trusts your ID/password it should trust your envelope-sender

>The problem is that I find that sometimes my emails just don't get through at all. In particular, I recently changed the registration confirmations on crazyguyonabike.com to be 'From' neil@crazyguyonabike.com, whereas previously they came 'From' neil@nilspace.com. I wanted the address to match the domain the person was registering on. However now I have had a couple of instances where these confirmations just aren't getting through at all, and this is to yahoo.com email accounts, which previously have been very reliable in terms of delivery. The messages aren't in the spam folder, they just never seem to get through at all. The weird thing is that emails from neil@nilspace.com, sent from my home computer, do get through. So the automated ones from the server don't get through, but ones from home do, but they are both coming from the same email server. I'm wondering if the spf record has something to do with it - maybe Yahoo! is seeing something weird about an email claiming
to be
from crazyguyonabike.com, but my spf doesn't mention that domain? Here's my current SPF record, generated a while back from an online wizard:

your and anyone spf is just a list of ip's nothing 'sees' the domains mentioned within
your spf having a broken second last record and ending +all is a more likely cause

and btw no one looks at the from address just the envelope-sender
its likely if your home mail is being treated differently it because either its envelope-sender is correct
(and thus the web-script is perhaps sending from:correct-address but leaving the envelope-sender as apache@spidey... or some other nonsense)

with sendmail its necessary to use -f and have the user running the process in trusted-users to allow 'forging/setting the envelope sender to anything but the default'

a copy of one of each type of mail with full headers will answer this faster than me trying to teach you how to distinguish between them

send one of each direct (not via list) to my address and I'll look at them in the morning, and tell you which is broken


>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>
>Should I have more stuff in there related to my other domains, even though they all resolve to the same IP address? How about my home connection, do I need to have anything related to that in there?
>
>Hope this makes sense, please let me know if you need more information...
>
>Thanks!
>
>Neil
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101130204417:81179282-FCEC-11DF-97DB-AC9BBAB6F015
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101201050611:9EA524EA-FD32-11DF-8019-93DF6268812C
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Ok, thanks again. I have changed all my spf records for bind to the
following:

TXT "v=spf1 ip4:208.64.24.170 -all"
SPF "v=spf1 ip4:208.64.24.170 -all"

My setup is pretty simple - multiple domains on a single ip address, so
I guess that should do it, right? Thanks for the clarification of the
'all', the entry I had was generated (I think) from one of the spf
"wizards" online, possibly the Microsoft one, but I can't remember.
Obviously either I misunderstood the questions the wizard asked me, or
else the wizard itself was screwed up.

Also, what I am getting is that the ip address of my computer here at
home (which originates email sent personally by me) is irrelevant to spf
- the only ip address that matters is the address of my mail server, is
that correct? If so, then the above entries make perfect sense, since
they seem to say that mail can come from this ip address, and only this
ip address (true, I have no other email servers), and the '-all' says
exclude any other ip addresses. Sounds simple.

Sorry for my ignorance, I am very busy with development and did not take
the time to dedicate to learning about spf in depth, but you've been
extremely helpful. Much appreciated.

I think that should do it, please let me know if I'm missing anything
else here...

Thanks again,

Neil

alan wrote:
> ok questions dealt with in reverse order as its late and only the last approached an SPF issue
>
> first off your SPF
>
> "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>
> utter bollix beyond useless and will get your mail dumped by any anti-spam system
>
> starting from the fact you send all mail from one ip (spidey.nilspace.com)
> should theirfore be
> "v=spf1 ip4:208.64.24.170
> then either ?all ~all or -all
>
> and that is all
> the a (waste of receivers resources as it will be the same ip
> the mx (waste of receivers resources as it will be the same ip
> the ptr (should never be used and will never match
> the mx:spidey.nilspace.com (error breaking all as spidey.nilspace.com has no MX records
> the +all (biggest mistake of all says "oh and we send from every ip in the world too" classic spammer and will get mail shot
>
> now onto the rest
>
> At 01:44 01/12/2010 Wednesday, Neil Gunton wrote:
>> Hi, I'm sorry if this turns out to be a stupid question, but I'm having some trouble working out how to construct my spf record. Here's my setup:
>>
>> I have a colo server in a datacenter, which has a single ip address.
>
> relavant
>
>> I run several websites on this server, with multiple domains that each host a website. Email can be sent from any of these domains, via the local sendmail server, with 'neil' as the username and then the current website domain as the tld for the email address. So for example one of my sites is crazyguyonabike.com, so when I send a registration email from that site, it is 'From' neil@crazyguyonabike.com. The reverse DNS and mx for the ip address is spidey.nilspace.com.
>
> irrelevant
>
> ok assuming your sendmail greets [helo/ehlo] as spidey.nilspace.com.
> first spf record should be for this domain (currently none)
> as above it should only be for a helo/ehlo thus should terminate -all
> v=spf1 ip4:208.64.24.170 -all
>
> next neil@crazyguyonabike.com.
> currently broken beyond belief
> should be v=spf1 ip4:208.64.24.170 -/~/?all
>
> -/~/? means pick one depending on the forgery handling policy you want receivers to follow
>
> - means mail from any other ip should be considered spam/forged harshly HARDFAIL (breaks non-SRS forwarding to ISPs to sloppy to allow users to whitelist their own forwarders)
> ~ means to consider mail from any other ip to be probably spam (but not always) SOFTFAIL (survives more broken forwarding but also less strongly protects you from forgery)
> ? means consider mail that hasnt passed the spf test like you would mail with no SPF NEUTRAL (pointless but breaks less and forwarding and perfect for testing)
>
>> I also send email through this server from my home computer, which is on a cable or DSL connection. When I do this, sendmail always seems to attach a "may be forged" header to my emails, and I can't seem to stop that from happening - presumably it's because my emails are "from" neil@nilspace.com, but my originating ip address does not resolve to nilspace.com, but rather to the cable or DSL company. This isn't the main issue, though.
>
> pointless but nothing but sendmail being mis-configured
> (you do send mail via an authenticated connection to port 587 (the mail submission port) I assume)
> if so as long as sendmail trusts your ID/password it should trust your envelope-sender
>
>> The problem is that I find that sometimes my emails just don't get through at all. In particular, I recently changed the registration confirmations on crazyguyonabike.com to be 'From' neil@crazyguyonabike.com, whereas previously they came 'From' neil@nilspace.com. I wanted the address to match the domain the person was registering on. However now I have had a couple of instances where these confirmations just aren't getting through at all, and this is to yahoo.com email accounts, which previously have been very reliable in terms of delivery. The messages aren't in the spam folder, they just never seem to get through at all. The weird thing is that emails from neil@nilspace.com, sent from my home computer, do get through. So the automated ones from the server don't get through, but ones from home do, but they are both coming from the same email server. I'm wondering if the spf record has something to do with it - maybe Yahoo! is seeing something weird about an email claimin
g
> to be
> from crazyguyonabike.com, but my spf doesn't mention that domain? Here's my current SPF record, generated a while back from an online wizard:
>
> your and anyone spf is just a list of ip's nothing 'sees' the domains mentioned within
> your spf having a broken second last record and ending +all is a more likely cause
>
> and btw no one looks at the from address just the envelope-sender
> its likely if your home mail is being treated differently it because either its envelope-sender is correct
> (and thus the web-script is perhaps sending from:correct-address but leaving the envelope-sender as apache@spidey... or some other nonsense)
>
> with sendmail its necessary to use -f and have the user running the process in trusted-users to allow 'forging/setting the envelope sender to anything but the default'
>
> a copy of one of each type of mail with full headers will answer this faster than me trying to teach you how to distinguish between them
>
> send one of each direct (not via list) to my address and I'll look at them in the morning, and tell you which is broken
>
>
>> "v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>
>> Should I have more stuff in there related to my other domains, even though they all resolve to the same IP address? How about my home connection, do I need to have anything related to that in there?
>>
>> Hope this makes sense, please let me know if you need more information...
>>
>> Thanks!
>>
>> Neil
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>> Modify Your Subscription: https://www.listbox.com/member/?&
>> Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101130204417:81179282-FCEC-11DF-97DB-AC9BBAB6F015
>> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/19965496-c01dc913
> Modify Your Subscription: https://www.listbox.com/member/?&
> Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201050611:9EA524EA-FD32-11DF-8019-93DF6268812C
> Powered by Listbox: http://www.listbox.com
>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101201132807:C02A1ABC-FD78-11DF-A576-82368AEC8845
Powered by Listbox: http://www.listbox.com
Re: Re: How to set up spf for my client/server situation [ In reply to ]
Ho ricevuto il messaggio. Sono in ferie fino al 16 dicembre, legger� il messaggio al mio rientro il 17 dicembre.
Per cose urgenti potete scrivere a info@biatwork.com, i miei colleghi prenderanno in carico la vostra email.

Cordiali saluti
Massimo Gregori





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101201132953:FC2A3394-FD78-11DF-B333-E17E85394F45
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
At 18:27 01/12/2010 Wednesday, Neil Gunton wrote:
>Ok, thanks again. I have changed all my spf records for bind to the following:
>
>TXT "v=spf1 ip4:208.64.24.170 -all"
>SPF "v=spf1 ip4:208.64.24.170 -all"

again i urge you to consider ?all while testing
(as you cannot easily guess what forwarding arrangements your receivers may have and -all will cause all recievers with badly setup (non-whitelisted forwarding hosts) to reject all the (forged by their own forwarder) mail

>My setup is pretty simple - multiple domains on a single ip address, so I guess that should do it, right? Thanks for the clarification of the 'all', the entry I had was generated (I think) from one of the spf "wizards" online, possibly the Microsoft one,

the microsoft one is NOT spf (same syntax totally different system) called senderID, and not compatable

> but I can't remember. Obviously either I misunderstood the questions the wizard asked me, or else the wizard itself was screwed up.

usually the second no wizard i have seen approaches anything near to simple logic.

>Also, what I am getting is that the ip address of my computer here at home (which originates email sent personally by me) is irrelevant to spf -

yes

> the only ip address that matters is the address of my mail server, is that correct?

not entirely, not your mail server, but any mail server that is allowed to send mail to others on your behalf

{for example if your server was only used to receive and you used your isp 'isp-x' to send mail only, then your spf should have no mention of your server just the ip's/mames of the isp-x servers)

> If so, then the above entries make perfect sense, since they seem to say that mail can come from this ip address, and only this ip address (true, I have no other email servers), and the '-all' says exclude any other ip addresses. Sounds simple.

yup it is but..
- all means HARDFAIL all others (ie you recommend that they refuse mail from any other source)
~ all means SOFTFAIL all others (ie you recommend treating other sources with suspicion)
? all means NEUTRAL all others (ie you recommend treating other sources neither positively(pass) or negatively(fail) just treat them the way you do email with no spf)

as in my original mail

>Sorry for my ignorance, I am very busy with development and did not take the time to dedicate to learning about spf in depth, but you've been extremely helpful. Much appreciated.
>
>I think that should do it, please let me know if I'm missing anything else here...
>
>Thanks again,
>
>Neil
>
>alan wrote:
>>ok questions dealt with in reverse order as its late and only the last approached an SPF issue
>>first off your SPF
>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>utter bollix beyond useless and will get your mail dumped by any anti-spam system
>>starting from the fact you send all mail from one ip (spidey.nilspace.com)
>>should theirfore be
>>"v=spf1 ip4:208.64.24.170 then either ?all ~all or -all
>>and that is all
>>the a (waste of receivers resources as it will be the same ip
>>the mx (waste of receivers resources as it will be the same ip
>>the ptr (should never be used and will never match
>>the mx:spidey.nilspace.com (error breaking all as spidey.nilspace.com has no MX records
>>the +all (biggest mistake of all says "oh and we send from every ip in the world too" classic spammer and will get mail shot
>>now onto the rest
>>At 01:44 01/12/2010 Wednesday, Neil Gunton wrote:
>>>Hi, I'm sorry if this turns out to be a stupid question, but I'm having some trouble working out how to construct my spf record. Here's my setup:
>>>
>>>I have a colo server in a datacenter, which has a single ip address.
>>relavant
>>
>>>I run several websites on this server, with multiple domains that each host a website. Email can be sent from any of these domains, via the local sendmail server, with 'neil' as the username and then the current website domain as the tld for the email address. So for example one of my sites is crazyguyonabike.com, so when I send a registration email from that site, it is 'From' neil@crazyguyonabike.com. The reverse DNS and mx for the ip address is spidey.nilspace.com.
>>irrelevant
>>ok assuming your sendmail greets [helo/ehlo] as spidey.nilspace.com.
>>first spf record should be for this domain (currently none)
>>as above it should only be for a helo/ehlo thus should terminate -all
>>v=spf1 ip4:208.64.24.170 -all
>>next neil@crazyguyonabike.com.
>>currently broken beyond belief
>>should be v=spf1 ip4:208.64.24.170 -/~/?all
>>-/~/? means pick one depending on the forgery handling policy you want receivers to follow
>>- means mail from any other ip should be considered spam/forged harshly HARDFAIL (breaks non-SRS forwarding to ISPs to sloppy to allow users to whitelist their own forwarders)
>>~ means to consider mail from any other ip to be probably spam (but not always) SOFTFAIL (survives more broken forwarding but also less strongly protects you from forgery)
>>? means consider mail that hasnt passed the spf test like you would mail with no SPF NEUTRAL (pointless but breaks less and forwarding and perfect for testing)
>>
>>>I also send email through this server from my home computer, which is on a cable or DSL connection. When I do this, sendmail always seems to attach a "may be forged" header to my emails, and I can't seem to stop that from happening - presumably it's because my emails are "from" neil@nilspace.com, but my originating ip address does not resolve to nilspace.com, but rather to the cable or DSL company. This isn't the main issue, though.
>>pointless but nothing but sendmail being mis-configured
>>(you do send mail via an authenticated connection to port 587 (the mail submission port) I assume)
>>if so as long as sendmail trusts your ID/password it should trust your envelope-sender
>>
>>>The problem is that I find that sometimes my emails just don't get through at all. In particular, I recently changed the registration confirmations on crazyguyonabike.com to be 'From' neil@crazyguyonabike.com, whereas previously they came 'From' neil@nilspace.com. I wanted the address to match the domain the person was registering on. However now I have had a couple of instances where these confirmations just aren't getting through at all, and this is to yahoo.com email accounts, which previously have been very reliable in terms of delivery. The messages aren't in the spam folder, they just never seem to get through at all. The weird thing is that emails from neil@nilspace.com, sent from my home computer, do get through. So the automated ones from the server don't get through, but ones from home do, but they are both coming from the same email server. I'm wondering if the spf record has something to do with it - maybe Yahoo! is seeing something weird about an email claimin
>g
>> to be
>> from crazyguyonabike.com, but my spf doesn't mention that domain? Here's my current SPF record, generated a while back from an online wizard:
>>your and anyone spf is just a list of ip's nothing 'sees' the domains mentioned within
>>your spf having a broken second last record and ending +all is a more likely cause
>>and btw no one looks at the from address just the envelope-sender
>>its likely if your home mail is being treated differently it because either its envelope-sender is correct
>>(and thus the web-script is perhaps sending from:correct-address but leaving the envelope-sender as apache@spidey... or some other nonsense)
>>with sendmail its necessary to use -f and have the user running the process in trusted-users to allow 'forging/setting the envelope sender to anything but the default'
>>a copy of one of each type of mail with full headers will answer this faster than me trying to teach you how to distinguish between them
>>send one of each direct (not via list) to my address and I'll look at them in the morning, and tell you which is broken
>>
>>>"v=spf1 a mx ptr ip4:208.64.24.170 mx:spidey.nilspace.com +all"
>>>
>>>Should I have more stuff in there related to my other domains, even though they all resolve to the same IP address? How about my home connection, do I need to have anything related to that in there?
>>>
>>>Hope this makes sense, please let me know if you need more information...
>>>
>>>Thanks!
>>>
>>>Neil
>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>>>Modify Your Subscription: https://www.listbox.com/member/?&
>>>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101130204417:81179282-FCEC-11DF-97DB-AC9BBAB6F015
>>>Powered by Listbox: http://www.listbox.com
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/19965496-c01dc913
>>Modify Your Subscription: https://www.listbox.com/member/?&
>>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201050611:9EA524EA-FD32-11DF-8019-93DF6268812C
>>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/15739084-a04d3caa
>Modify Your Subscription: https://www.listbox.com/member/?&
>Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101201132807:C02A1ABC-FD78-11DF-A576-82368AEC8845
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202055338:6CBD03BE-FE02-11DF-B9E9-C1D3C6ED1EB0
Powered by Listbox: http://www.listbox.com
Re: Re: How to set up spf for my client/server situation [ In reply to ]
Ho ricevuto il messaggio. Sono in ferie fino al 16 dicembre, legger� il messaggio al mio rientro il 17 dicembre.
Per cose urgenti potete scrivere a info@biatwork.com, i miei colleghi prenderanno in carico la vostra email.

Cordiali saluti
Massimo Gregori





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202055610:C6B02B6C-FE02-11DF-913D-DFA34CCE0452
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
alan wrote:
> At 18:27 01/12/2010 Wednesday, Neil Gunton wrote:
>> Ok, thanks again. I have changed all my spf records for bind to the following:
>>
>> TXT "v=spf1 ip4:208.64.24.170 -all"
>> SPF "v=spf1 ip4:208.64.24.170 -all"
>
> again i urge you to consider ?all while testing
> (as you cannot easily guess what forwarding arrangements your receivers may have and -all will cause all recievers with badly setup (non-whitelisted forwarding hosts) to reject all the (forged by their own forwarder) mail

Then I don't see when you would ever use -all, because with any public
email system you cannot predict in advance who you will be sending
messages to. You never have any idea what their forwarding setups are.
So why do you say "during testing"? When would this testing phase end,
exactly? How could it ever end, given the intrinsic uncertainty of who
you might have to send emails to in the future?

All I do know is that I definitely want to make it clear to the world
that email coming from me can only originate from my server.

> the microsoft one is NOT spf (same syntax totally different system) called senderID, and not compatable

Then their web page is extremely misleading, because they use "SPF" in
the title:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Anybody (like myself) looking around on the web for SPF wizards to help
them construct one of these records might reasonably assume that "SPF is
SPF", and use this - the result looks identical to the official SPF to
me. This is really bad, especially as you're saying they are actually
incompatible.

>> but I can't remember. Obviously either I misunderstood the questions the wizard asked me, or else the wizard itself was screwed up.
>
> usually the second no wizard i have seen approaches anything near to simple logic.

Again, this is bad, most people will try to use the wizards rather than
spend their time learning the innards of yet another specification.

>> the only ip address that matters is the address of my mail server, is that correct?
>
> not entirely, not your mail server, but any mail server that is allowed to send mail to others on your behalf

The only server that is allowed to send emails to others as coming from
me or any of my website processes is my server. I don't know of any
situation where some other server is going to be sending emails to
others "on my behalf", isn't that just a recipe for spammers to send
email as "me"? It should never happen, as far as I know.

> {for example if your server was only used to receive and you used your isp 'isp-x' to send mail only, then your spf should have no mention of your server just the ip's/mames of the isp-x servers)

My email server is used to send and receive all my email.

> - all means HARDFAIL all others (ie you recommend that they refuse mail from any other source)
> ~ all means SOFTFAIL all others (ie you recommend treating other sources with suspicion)
> ? all means NEUTRAL all others (ie you recommend treating other sources neither positively(pass) or negatively(fail) just treat them the way you do email with no spf)

Given that all mail I send or receive goes from/to this one server,
isn't this about as solid a case as you could ever get for using -all?

Thanks again,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202122620:490EFE04-FE39-11DF-8E6B-829DE8F8D026
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Hi Neil,

Neil Gunton wrote:
> Then I don't see when you would ever use -all, because with any public
> email system you cannot predict in advance who you will be sending
> messages to. You never have any idea what their forwarding setups are.
> So why do you say "during testing"? When would this testing phase end,
> exactly? How could it ever end, given the intrinsic uncertainty of who
> you might have to send emails to in the future?

You'd be testing who is sending mail, not receiving it. It's up to the
receivers to decide how to handle your mail and how to act upon your SPF
record. All you can do is make sure your record is correct.

> All I do know is that I definitely want to make it clear to the world
> that email coming from me can only originate from my server.

The the SPF record you mentioned in your last message should work fine.

>> the microsoft one is NOT spf (same syntax totally different system)
>> called senderID, and not compatable
>
> Then their web page is extremely misleading, because they use "SPF" in
> the title:
>
> http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Yes it is.

> Anybody (like myself) looking around on the web for SPF wizards to help
> them construct one of these records might reasonably assume that "SPF is
> SPF", and use this - the result looks identical to the official SPF to
> me. This is really bad, especially as you're saying they are actually
> incompatible.

It's not that they're incompatible. If you only publish an SPF record,
Sender-ID will use that. However, the behaviour of Sender-ID is
different from that of SPF.

It is recommended, that if you do not intend for your SPF record to be
used by Sender-ID-aware hosts, that you also publish the following
Sender-ID record:

TXT "spf2.0/pra"

If, however, you wish to use Sender-ID, you should research it and
publish an appropriate record.

>>> but I can't remember. Obviously either I misunderstood the questions
>>> the wizard asked me, or else the wizard itself was screwed up.
>>
>> usually the second no wizard i have seen approaches anything near to
>> simple logic.
>
> Again, this is bad, most people will try to use the wizards rather than
> spend their time learning the innards of yet another specification.

Most SPF records can be generated by asking the simple question: "What
hosts are authorized to send mail for your domain?" Then list the IP
addresses of those hosts in your SPF record as you have done.

>>> the only ip address that matters is the address of my mail server, is
>>> that correct?
>>
>> not entirely, not your mail server, but any mail server that is
>> allowed to send mail to others on your behalf
>
> The only server that is allowed to send emails to others as coming from
> me or any of my website processes is my server. I don't know of any
> situation where some other server is going to be sending emails to
> others "on my behalf", isn't that just a recipe for spammers to send
> email as "me"? It should never happen, as far as I know.

If, for example, you hired a marketing company to send communications to
your customers. If they sent emails from their servers as you, one
option would be to add their servers to your SPF record. (There are
other, often better solutions for this.)

>> {for example if your server was only used to receive and you used your
>> isp 'isp-x' to send mail only, then your spf should have no mention of
>> your server just the ip's/mames of the isp-x servers)
>
> My email server is used to send and receive all my email.

Then the record you have is fine.

>
>> - all means HARDFAIL all others (ie you recommend that they refuse
>> mail from any other source)
>> ~ all means SOFTFAIL all others (ie you recommend treating other
>> sources with suspicion)
>> ? all means NEUTRAL all others (ie you recommend treating other
>> sources neither positively(pass) or negatively(fail) just treat them
>> the way you do email with no spf)
>
> Given that all mail I send or receive goes from/to this one server,
> isn't this about as solid a case as you could ever get for using -all?

Yes. Not all mail environments are as simple as yours. These options are
available to allow for increased/softer testing.

Andrew

>
> Thanks again,
>
> Neil
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
> Modify Your Subscription:
> https://www.listbox.com/member/?&
>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202122620:490EFE04-FE39-11DF-8E6B-829DE8F8D026
>
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202124906:73A3F7CA-FE3C-11DF-A52E-8F0DC6F4DBAC
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
> Then I don't see when you would ever use -all

You use -all when you're sure you've got the config right. Are you sure
your config is right?

> Then their web page is extremely misleading

This is not news. Please complain to them - it was their decision to
attempt to subvert SPF.

> The only server that is allowed to send emails to others as coming from
> me or any of my website processes is my server. I don't know of any
> situation where some other server is going to be sending emails to
> others "on my behalf"

Mailing lists are the usual fare. They often send on mails with the
original envelope address; this is a forgery, but it is your email that
will suffer.

> isn't that just a recipe for spammers to send
> email as "me"? It should never happen, as far as I know.

That last phrase is the important one. That's why people have been
suggesting you do not use "-all" immediately.

> Given that all mail I send or receive goes from/to this one server,
> isn't this about as solid a case as you could ever get for using -all?

If you are sure that what you have told us is 100% accurate and complete,
then yes. If you have missed out anything or have any misunderstandings,
it could cause your mail to be undeliverable for as long as any DNS server
decides to cache your record - which is frequently longer than the TTL you
specify.

Do you not think it might be a good idea to take the advice not to use
"-all" just yet? I've been doing SPF for some years now, and I still make
mistakes, although clearly you might have a much better grasp of the
technology than I.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202124928:81758274-FE3C-11DF-93A8-D455F559ED1D
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Andrew Culver wrote:
> You'd be testing who is sending mail, not receiving it. It's up to the
> receivers to decide how to handle your mail and how to act upon your SPF
> record. All you can do is make sure your record is correct.

I have done some tests with sending to gmail accounts, and it does seem
to be working. Google lets you look at how they interpreted the SPF
record, and it looks good from their end.

>> All I do know is that I definitely want to make it clear to the world
>> that email coming from me can only originate from my server.
>
> The the SPF record you mentioned in your last message should work fine.

That's good, thanks.

> It's not that they're incompatible. If you only publish an SPF record,
> Sender-ID will use that. However, the behaviour of Sender-ID is
> different from that of SPF.

My main goal here is to ensure that my messages get delivered to the
people who attempt to use my website. It has seemed recently that I've
been getting more messages from people complaining that they never got
the confirmation email, even after looking in their spam folder etc. So
this prompted my quest to perfect the SPF record, and I'm really glad I
joined this list now, because apparently my previous attempt was
severely messed up.

> It is recommended, that if you do not intend for your SPF record to be
> used by Sender-ID-aware hosts, that you also publish the following
> Sender-ID record:
>
> TXT "spf2.0/pra"
>
> If, however, you wish to use Sender-ID, you should research it and
> publish an appropriate record.

Is there much benefit to going to that trouble? Will hosts that use
Sender-ID be able to see from my existing SPF record that the email is
genuine? They are so similar, I don't see why we need a different
standard. In fact the worst case is when it is "similar but different",
in my experience. Oh, sorry, I forgot we're talking about Microsoft
here. Carry on.

> Most SPF records can be generated by asking the simple question: "What
> hosts are authorized to send mail for your domain?" Then list the IP
> addresses of those hosts in your SPF record as you have done.

That's very simple and clear, thanks.

>> The only server that is allowed to send emails to others as coming
>> from me or any of my website processes is my server. I don't know of
>> any situation where some other server is going to be sending emails to
>> others "on my behalf", isn't that just a recipe for spammers to send
>> email as "me"? It should never happen, as far as I know.
>
> If, for example, you hired a marketing company to send communications to
> your customers. If they sent emails from their servers as you, one
> option would be to add their servers to your SPF record. (There are
> other, often better solutions for this.)

Yikes - that sounds like spam to me. But I do understand, thanks again.

>> My email server is used to send and receive all my email.
>
> Then the record you have is fine.

Good.

>> Given that all mail I send or receive goes from/to this one server,
>> isn't this about as solid a case as you could ever get for using -all?
>
> Yes. Not all mail environments are as simple as yours. These options are
> available to allow for increased/softer testing.

I appreciate that, thanks again for your patience.

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202130653:F005768E-FE3E-11DF-82B0-EB9763EF98E0
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Vic wrote:
> Do you not think it might be a good idea to take the advice not to use
> "-all" just yet? I've been doing SPF for some years now, and I still make
> mistakes, although clearly you might have a much better grasp of the
> technology than I.

I'm not trying to be argumentitive here, but from what I gather my setup
really is very simple. I only send and receive email from the one,
single server. I don't run any mailing lists, nobody else sends emails
on my behalf. I have tested the new SPF record with Yahoo! and Gmail,
and it passes. Since I fixed the previous broken config (thanks
Microsoft) I haven't had any problems with people registering.

Thanks again to everybody, this has been very useful, I'm most
appreciative of all the replies.

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202131118:9A7F7F24-FE3F-11DF-88CA-DA3EE12E9BCF
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
> I'm not trying to be argumentitive here, but from what I gather my setup
> really is very simple.

You have been advised - properly, IMO - to run a "testing" record before
jumping in feet-first and implementing a policy that could conceivably
result in your email being undeliverable for multiple days. It is entirely
up to you whether or not to take that advice. The rest of us don't care -
it's not *our* mail you're risking.

> I don't run any mailing lists

Do you use any mailing lists? Do any of them forge your envelope address?
Do you use any non-conformant mail subscriptions (like PayPal, for
example)?

It is a trivial matter to tighten up your policy at a later date. I am
astounded that you are so loath to test something before you commit to it
- but it's your mail, so go ahead.

> nobody else sends emails on my behalf.

Do you know that for certain, or are you just asserting what you would
like to be the case?

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202132556:A5E1D716-FE41-11DF-8E33-FAE89D581F39
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Hi,

Let me please join your conversation in the "asking" part of it.

Andrew, you introduce an interesting question to me:

*"If, for example, you hired a marketing company to send communications to
your customers. If they sent emails from their servers as you, one option
would be to add their servers to your SPF record. (There are other, often
better solutions for this.)"*


Recently, I've recommended a client of us (we are a small web agency
offering e-mail marketing solutions) to add our server's ip4 to their SPF
record.

Could you suggest a better solution for that case? They send mail to a
legitimate list of their customers and interested people, no spamming. They
send mail from the servers behind their domain, and we send mail on their
behalf from a server we manage.

We are completely open to any comment that may help mail filters and
handlers correctly qualify our messages.

Regards,

Marc Olivé i Valls
El Nucli
________________________________________________________________________________

Marc Olivé i Valls | marc@elnucli.com | www.elnucli.com

El Nucli és al Facebook
<http://www.facebook.com/pages/Manresa-Spain/El-Nucli/128809810270> | A
vegades fem tweets! <http://twitter.com/elnucli>

El Nucli 9-08, S.L. | Avinguda de les Bases de Manresa 52-58 1er 3a | 08242
• Manresa
tel: 937.013.260 | fax: 937.013.011

(Abans d'imprimir aquest correu penseu en el vostre compromís amb el medi
ambient)
On Thu, Dec 2, 2010 at 6:48 PM, Andrew Culver <aculver@uwo.ca> wrote:

> Hi Neil,
>
>
> Neil Gunton wrote:
>
>> Then I don't see when you would ever use -all, because with any public
>> email system you cannot predict in advance who you will be sending messages
>> to. You never have any idea what their forwarding setups are. So why do you
>> say "during testing"? When would this testing phase end, exactly? How could
>> it ever end, given the intrinsic uncertainty of who you might have to send
>> emails to in the future?
>>
>
> You'd be testing who is sending mail, not receiving it. It's up to the
> receivers to decide how to handle your mail and how to act upon your SPF
> record. All you can do is make sure your record is correct.
>
>
> All I do know is that I definitely want to make it clear to the world that
>> email coming from me can only originate from my server.
>>
>
> The the SPF record you mentioned in your last message should work fine.
>
>
> the microsoft one is NOT spf (same syntax totally different system) called
>>> senderID, and not compatable
>>>
>>
>> Then their web page is extremely misleading, because they use "SPF" in the
>> title:
>>
>>
>> http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
>>
>
> Yes it is.
>
>
> Anybody (like myself) looking around on the web for SPF wizards to help
>> them construct one of these records might reasonably assume that "SPF is
>> SPF", and use this - the result looks identical to the official SPF to me.
>> This is really bad, especially as you're saying they are actually
>> incompatible.
>>
>
> It's not that they're incompatible. If you only publish an SPF record,
> Sender-ID will use that. However, the behaviour of Sender-ID is different
> from that of SPF.
>
> It is recommended, that if you do not intend for your SPF record to be used
> by Sender-ID-aware hosts, that you also publish the following Sender-ID
> record:
>
> TXT "spf2.0/pra"
>
> If, however, you wish to use Sender-ID, you should research it and publish
> an appropriate record.
>
>
> but I can't remember. Obviously either I misunderstood the questions the
>>>> wizard asked me, or else the wizard itself was screwed up.
>>>>
>>>
>>> usually the second no wizard i have seen approaches anything near to
>>> simple logic.
>>>
>>
>> Again, this is bad, most people will try to use the wizards rather than
>> spend their time learning the innards of yet another specification.
>>
>
> Most SPF records can be generated by asking the simple question: "What
> hosts are authorized to send mail for your domain?" Then list the IP
> addresses of those hosts in your SPF record as you have done.
>
>
> the only ip address that matters is the address of my mail server, is that
>>>> correct?
>>>>
>>>
>>> not entirely, not your mail server, but any mail server that is allowed
>>> to send mail to others on your behalf
>>>
>>
>> The only server that is allowed to send emails to others as coming from me
>> or any of my website processes is my server. I don't know of any situation
>> where some other server is going to be sending emails to others "on my
>> behalf", isn't that just a recipe for spammers to send email as "me"? It
>> should never happen, as far as I know.
>>
>
> If, for example, you hired a marketing company to send communications to
> your customers. If they sent emails from their servers as you, one option
> would be to add their servers to your SPF record. (There are other, often
> better solutions for this.)
>
>
> {for example if your server was only used to receive and you used your isp
>>> 'isp-x' to send mail only, then your spf should have no mention of your
>>> server just the ip's/mames of the isp-x servers)
>>>
>>
>> My email server is used to send and receive all my email.
>>
>
> Then the record you have is fine.
>
>
>
>> - all means HARDFAIL all others (ie you recommend that they refuse mail
>>> from any other source)
>>> ~ all means SOFTFAIL all others (ie you recommend treating other sources
>>> with suspicion)
>>> ? all means NEUTRAL all others (ie you recommend treating other sources
>>> neither positively(pass) or negatively(fail) just treat them the way you do
>>> email with no spf)
>>>
>>
>> Given that all mail I send or receive goes from/to this one server, isn't
>> this about as solid a case as you could ever get for using -all?
>>
>
> Yes. Not all mail environments are as simple as yours. These options are
> available to allow for increased/softer testing.
>
> Andrew
>
>
>> Thanks again,
>>
>> Neil
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [
>> http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed:
>> https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
>> Modify Your Subscription: https://www.listbox.com/member/?&
>> Unsubscribe Now:
>> https://www.listbox.com/unsubscribe/?&&post_id=20101202122620:490EFE04-FE39-11DF-8E6B-829DE8F8D026
>> Powered by Listbox: http://www.listbox.com
>>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [
> http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed:
> https://www.listbox.com/member/archive/rss/1020/20135140-294d0708
> Modify Your Subscription:
> https://www.listbox.com/member/?&
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202124906:73A3F7CA-FE3C-11DF-A52E-8F0DC6F4DBAC
>
> Powered by Listbox: http://www.listbox.com
>



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202132950:2F1EAD2E-FE42-11DF-902B-E392F559ED1D
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Vic wrote:
> Do you use any mailing lists? Do any of them forge your envelope address?
> Do you use any non-conformant mail subscriptions (like PayPal, for
> example)?

That's an excellent point. Paypal does send emails as being "from" its
users, doesn't it. And I do use mailing lists.

Ok, you've convinced me. I'll try '?all' instead of '-all' and see how
providers like Google and Yahoo! treat it. Of course I'll wait until the
TTL period expires (and more) to be sure.

Thanks again,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202133236:8816EDD8-FE42-11DF-B893-9E90F5628087
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
alan wrote:
> - all means HARDFAIL all others (ie you recommend that they refuse mail from any other source)
> ~ all means SOFTFAIL all others (ie you recommend treating other sources with suspicion)
> ? all means NEUTRAL all others (ie you recommend treating other sources neither positively(pass) or negatively(fail) just treat them the way you do email with no spf)

Ok, Vic raised excellent points in his previous email about me being
part of mailing lists (ironically, including this one) and also Paypal,
who sends out emails (I think) as being "from" me. I do use paypal on my
site for incoming donations, and I do on occasion paypal other people
money, so that might be very relevant.

Accordingly, I have changed to ?all now, as recommended for testing.

The next question is, let's say everything seems to be working fine, at
what point would I change this to ~all? Or is ?all a good way to leave
it long term?

Would ?all make some email providers treat emails coming from me with
any more suspicion than usual, since it is apparently more open to being
spoofed? I know it recommends neither positive or negative, but I'm just
wondering if some of the more aggressive email filters out there might
have a "presumed guilty" policy for more open SPF records.

Thanks again,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202134308:03B75F08-FE44-11DF-8F2A-ACC28FC971C9
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Hi Marc,

The solution of having each of your clients add your mail servers (or
preferably include your SPF record) into their SPF record will work, but
you're adding extra work for each of your clients.

What we have done (uwo.ca) is instead asked any outside mailers wanting
to send mail as fundraiser@uwo.ca to change their SMTP MAIL FROM address
to their own domain and use fundraiser@uwo.ca in the From: header.

The From: header is what appears in the mail client. The user reading
the email doesn't really care what the SMTP MAIL FROM is. SPF cares
about the SMTP MAIL FROM, not the From: header.

This problem and the solution is described here:
http://www.openspf.org/Best_Practices/Webgenerated

Case 1)
MAIL FROM: fundraiser@uwo.ca
...
From: fundraiser@uwo.ca
To: user@uwo.ca

This will fail SPF. Bounces will be sent to fundraider@uwo.ca.

For this to work, the uwo.ca SPF record needs to be modified. The user
fundraiser@uwo.ca may also be receive bounces which they may not want to
see.


Case 2)
MAIL FROM: bounces@marketingcompany.com
...
From: fundraiser@uwo.ca
To: user@uwo.ca

This will pass SPF (assuming marketingcompany.com's SPF record is in
order). Bounces will be sent to bounces@marketingcompany.com (which
would allow the sender of the mail to better track bounces). The
recipient of this mail sees that the message was sent from
fundraiser@uwo.ca in their mail client.

This eliminates the need for your clients to modify their SPF. The
appearance of the email is maintained. You (as the mailer) can better
track bounces and eliminate non-existent mailboxes.


We've found this most effective and once the mailer has corrected their
SMTP MAIL FROM, there are never any more problems. Also, once the mailer
has made this change, it will work for ALL of their clients, eliminating
all SPF issues they would have had by using their clients domain.

Andrew



Marc Olivé wrote:
> Hi,
>
> Let me please join your conversation in the "asking" part of it.
>
> Andrew, you introduce an interesting question to me:
>
> /"If, for example, you hired a marketing company to send
> communications to your customers. If they sent emails from their
> servers as you, one option would be to add their servers to your SPF
> record. (There are other, often better solutions for this.)"/
>
>
> Recently, I've recommended a client of us (we are a small web agency
> offering e-mail marketing solutions) to add our server's ip4 to their
> SPF record.
>
> Could you suggest a better solution for that case? They send mail to a
> legitimate list of their customers and interested people, no spamming.
> They send mail from the servers behind their domain, and we send mail on
> their behalf from a server we manage.
>
> We are completely open to any comment that may help mail filters and
> handlers correctly qualify our messages.
>
> Regards,
>
> Marc Olivé i Valls
> El Nucli
> ________________________________________________________________________________
>
> Marc Olivé i Valls | marc@elnucli.com <mailto:marc@elnucli.com> |
> www.elnucli.com <http://www.elnucli.com>
>
> El Nucli és al Facebook
> <http://www.facebook.com/pages/Manresa-Spain/El-Nucli/128809810270> | A
> vegades fem tweets! <http://twitter.com/elnucli>
>
> El Nucli 9-08, S.L. | Avinguda de les Bases de Manresa 52-58 1er 3a |
> 08242 • Manresa
> tel: 937.013.260 | fax: 937.013.011
>
> (Abans d'imprimir aquest correu penseu en el vostre compromís amb el
> medi ambient)
> On Thu, Dec 2, 2010 at 6:48 PM, Andrew Culver <aculver@uwo.ca
> <mailto:aculver@uwo.ca>> wrote:
>
> Hi Neil,
>
>
> Neil Gunton wrote:
>
> Then I don't see when you would ever use -all, because with any
> public email system you cannot predict in advance who you will
> be sending messages to. You never have any idea what their
> forwarding setups are. So why do you say "during testing"? When
> would this testing phase end, exactly? How could it ever end,
> given the intrinsic uncertainty of who you might have to send
> emails to in the future?
>
>
> You'd be testing who is sending mail, not receiving it. It's up to
> the receivers to decide how to handle your mail and how to act upon
> your SPF record. All you can do is make sure your record is correct.
>
>
> All I do know is that I definitely want to make it clear to the
> world that email coming from me can only originate from my server.
>
>
> The the SPF record you mentioned in your last message should work fine.
>
>
> the microsoft one is NOT spf (same syntax totally different
> system) called senderID, and not compatable
>
>
> Then their web page is extremely misleading, because they use
> "SPF" in the title:
>
> http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
>
>
>
> Yes it is.
>
>
> Anybody (like myself) looking around on the web for SPF wizards
> to help them construct one of these records might reasonably
> assume that "SPF is SPF", and use this - the result looks
> identical to the official SPF to me. This is really bad,
> especially as you're saying they are actually incompatible.
>
>
> It's not that they're incompatible. If you only publish an SPF
> record, Sender-ID will use that. However, the behaviour of Sender-ID
> is different from that of SPF.
>
> It is recommended, that if you do not intend for your SPF record to
> be used by Sender-ID-aware hosts, that you also publish the
> following Sender-ID record:
>
> TXT "spf2.0/pra"
>
> If, however, you wish to use Sender-ID, you should research it and
> publish an appropriate record.
>
>
> but I can't remember. Obviously either I misunderstood
> the questions the wizard asked me, or else the wizard
> itself was screwed up.
>
>
> usually the second no wizard i have seen approaches anything
> near to simple logic.
>
>
> Again, this is bad, most people will try to use the wizards
> rather than spend their time learning the innards of yet another
> specification.
>
>
> Most SPF records can be generated by asking the simple question:
> "What hosts are authorized to send mail for your domain?" Then list
> the IP addresses of those hosts in your SPF record as you have done.
>
>
> the only ip address that matters is the address of my
> mail server, is that correct?
>
>
> not entirely, not your mail server, but any mail server that
> is allowed to send mail to others on your behalf
>
>
> The only server that is allowed to send emails to others as
> coming from me or any of my website processes is my server. I
> don't know of any situation where some other server is going to
> be sending emails to others "on my behalf", isn't that just a
> recipe for spammers to send email as "me"? It should never
> happen, as far as I know.
>
>
> If, for example, you hired a marketing company to send
> communications to your customers. If they sent emails from their
> servers as you, one option would be to add their servers to your SPF
> record. (There are other, often better solutions for this.)
>
>
> {for example if your server was only used to receive and you
> used your isp 'isp-x' to send mail only, then your spf
> should have no mention of your server just the ip's/mames of
> the isp-x servers)
>
>
> My email server is used to send and receive all my email.
>
>
> Then the record you have is fine.
>
>
>
> - all means HARDFAIL all others (ie you recommend that they
> refuse mail from any other source)
> ~ all means SOFTFAIL all others (ie you recommend treating
> other sources with suspicion)
> ? all means NEUTRAL all others (ie you recommend treating
> other sources neither positively(pass) or negatively(fail)
> just treat them the way you do email with no spf)
>
>
> Given that all mail I send or receive goes from/to this one
> server, isn't this about as solid a case as you could ever get
> for using -all?
>
>
> Yes. Not all mail environments are as simple as yours. These options
> are available to allow for increased/softer testing.
>
> Andrew
>
>
> Thanks again,
>
> Neil
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed:
> https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
> Modify Your Subscription: https://www.listbox.com/member/?&
> <https://www.listbox.com/member/?&>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202122620:490EFE04-FE39-11DF-8E6B-829DE8F8D026
> <https://www.listbox.com/unsubscribe/?&&post_id=20101202122620:490EFE04-FE39-11DF-8E6B-829DE8F8D026>
>
> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed:
> https://www.listbox.com/member/archive/rss/1020/20135140-294d0708
> Modify Your Subscription: https://www.listbox.com/member/?&
> <https://www.listbox.com/member/?&>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202124906:73A3F7CA-FE3C-11DF-A52E-8F0DC6F4DBAC
> <https://www.listbox.com/unsubscribe/?&&post_id=20101202124906:73A3F7CA-FE3C-11DF-A52E-8F0DC6F4DBAC>
>
> Powered by Listbox: http://www.listbox.com
>
>
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
>
> Archives <https://www.listbox.com/member/archive/1020/=now>
> <https://www.listbox.com/member/archive/rss/1020/14525495-91eca367> |
> Modify
> <https://www.listbox.com/member/?&>
> Your Subscription | Unsubscribe Now
> <https://www.listbox.com/unsubscribe/?&&post_id=20101202132950:2F1EAD2E-FE42-11DF-902B-E392F559ED1D>
> [Powered by Listbox] <http://www.listbox.com>
>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202141810:E59F8DE2-FE48-11DF-B6DC-FCFF39F14A24
Powered by Listbox: http://www.listbox.com
Re: Re: How to set up spf for my client/server situation [ In reply to ]
Ho ricevuto il messaggio. Sono in ferie fino al 16 dicembre, legger� il messaggio al mio rientro il 17 dicembre.
Per cose urgenti potete scrivere a info@biatwork.com, i miei colleghi prenderanno in carico la vostra email.

Cordiali saluti
Massimo Gregori





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202141926:09CB45A8-FE49-11DF-9344-BCC4E93F6B67
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Does it? Look at the Return-path: header to see the SMTP MAIL FROM
address that they used. SPF looks at this, not the From: header which
your mail client displays.

Another problem you may run into is forwarding by other hosts. Suppose
user@yourhost sends mail to user@forwarder who then forwards to
user@target. If the @target mail server is doing SPF checking and the
@forwarder mail server is not performing address rewriting (SRS), then
the @target mail server will see mail coming from the @forwarding mail
server with @yourhost in the SMTP MAIL FROM. This is a problem of the
forwarder (to implement SRS) or the target (to whitelist the
forwarder)... but users may complain to you all the same. This is where
testing with ~all can be useful.

Andrew

Neil Gunton wrote:
> Vic wrote:
>> Do you use any mailing lists? Do any of them forge your envelope address?
>> Do you use any non-conformant mail subscriptions (like PayPal, for
>> example)?
>
> That's an excellent point. Paypal does send emails as being "from" its
> users, doesn't it. And I do use mailing lists.
>
> Ok, you've convinced me. I'll try '?all' instead of '-all' and see how
> providers like Google and Yahoo! treat it. Of course I'll wait until the
> TTL period expires (and more) to be sure.
>
> Thanks again,
>
> Neil
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/14525495-91eca367
> Modify Your Subscription:
> https://www.listbox.com/member/?&
>
> Unsubscribe Now:
> https://www.listbox.com/unsubscribe/?&&post_id=20101202133236:8816EDD8-FE42-11DF-B893-9E90F5628087
>
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202142447:D4FF1E16-FE49-11DF-AB41-B37135ED268F
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Neil Gunton wrote:
>> It is recommended, that if you do not intend for your SPF record to be
>> used by Sender-ID-aware hosts, that you also publish the following
>> Sender-ID record:
>>
>> TXT "spf2.0/pra"
>>
>> If, however, you wish to use Sender-ID, you should research it and
>> publish an appropriate record.
>
> Is there much benefit to going to that trouble? Will hosts that use
> Sender-ID be able to see from my existing SPF record that the email is
> genuine? They are so similar, I don't see why we need a different
> standard. In fact the worst case is when it is "similar but different",
> in my experience. Oh, sorry, I forgot we're talking about Microsoft
> here. Carry on.

SPF acts on the SMTP MAIL FROM address (and sometimes the HELO address).

Sender-ID goes beyond this and tries to figure out what the Purported
Responsible Address (PRA) of the sender is and then check the Sender-ID
record of that address's domain. Sounds good in theory, however this is
easily fooled and so essentially useless.

What's worse, is Sender-ID implementations will use the SPF record if no
Sender-ID record exists. Although Sender-ID adoption is much less an
SPF, it can still cause delivery problems to those hosts that use it if
the sending domain lacks correct records, which is why the "spf2.0/pra"
record is recommended to prevent this fall-back.

Confused yet? :/



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202143206:D754438E-FE4A-11DF-82D5-5CCFC5F4DBAC
Powered by Listbox: http://www.listbox.com
Re: How to set up spf for my client/server situation [ In reply to ]
Andrew Culver wrote:
> Does it? Look at the Return-path: header to see the SMTP MAIL FROM
> address that they used. SPF looks at this, not the From: header which
> your mail client displays.

Ok, for example I have an email from paypal which is a notification of a
payment to me. It is "From" the person who sent the payment, but the
Return-path header is payment@paypal.com. So if I sent someone a payment
via paypal, and my SPF has either ~all or -all, how would one or the
other affect the recipient getting the ensuing notification email from
paypal, assuming the recipient's email provider checks SPF?

> Another problem you may run into is forwarding by other hosts. Suppose
> user@yourhost sends mail to user@forwarder who then forwards to
> user@target. If the @target mail server is doing SPF checking and the
> @forwarder mail server is not performing address rewriting (SRS), then
> the @target mail server will see mail coming from the @forwarding mail
> server with @yourhost in the SMTP MAIL FROM. This is a problem of the
> forwarder (to implement SRS) or the target (to whitelist the
> forwarder)... but users may complain to you all the same. This is where
> testing with ~all can be useful.

Ok, so I'm not sure where that leaves me with regard to what to put in
my SPF record, since obviously (well, presumably, since you brought it
up) this scenario could happen any time, with any of my users. So what
to do?

Sorry, this just seems a bit confusing because people are telling me to
"test", but I can't predict what situations or people I will be dealing
with in the future.

I can already tell that, narrowly speaking for my own simple case of
dealing with sending emails to gmail and Yahoo!, that even -all works
fine. But I don't know how you test for all possible (unknown) future
situations to determine which form to use for all, like that forwarder
scenario above, or mailing lists or whatever.

Any advice on how to do this?

Thanks,

Neil


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101202151028:3528C9C6-FE50-11DF-AC05-BE75F559ED1D
Powered by Listbox: http://www.listbox.com

1 2 3  View All