Mailing List Archive

On Wed, Jun 16, 2004 at 07:17:09AM -0400, Edward Brookhouse wrote:
>Is there any method of distinguishing between (conversationally spekaing)
>setting up an email server that checks SPF vs. just adding SPF records for
>your domain so other servers that do check SPF records will allow you??

For the former, I usually say, "spf filtering". For the latter I say,
"publishing an spf record", or "spf publishing".

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Hello Mark I have generated this (presuming you are using bind)

wyg.com. IN TXT "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
include:ocean-bridge.co.uk -all"

On the spf.pobox website I sent earlier.

This is based on all of wyg's WAN ip addresses namely;

195.92.113.48/29
195.92.127.80/30
194.152.70.252/30
195.92.33.80/30
194.152.95.240/30
194.152.95.244/30
60.77.184.0/30
195.92.116.40/30
194.152.81.40/30
195.92.150.8/30
213.94.199.24/30
195.7.254.60/30
195.92.92.16/30
194.152.81.32/30
194.152.81.48/30
217.206.89.144/30
195.92.116.32/30
195.92.116.8/30
217.40.50.248/30
195.92.116.28/30
195.92.116.24/30
195.92.33.64/30
195.92.242.72/30

Could you please create this SPF record for wyg.com please. If need any
more info or to discuss this further my number is 01132192500.

Regards,

James.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Mark Horn
Sent: 16 June 2004 13:09
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF Distinction

On Wed, Jun 16, 2004 at 07:17:09AM -0400, Edward Brookhouse wrote:
>Is there any method of distinguishing between (conversationally
>spekaing) setting up an email server that checks SPF vs. just adding
>SPF records for your domain so other servers that do check SPF records
will allow you??

For the former, I usually say, "spf filtering". For the latter I say,
"publishing an spf record", or "spf publishing".

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Jun 16, 2004, at 4:17 AM, Edward Brookhouse wrote:

> Is there any method of distinguishing between (conversationally
> spekaing)
> setting up an email server that checks SPF

SPF checking

> vs. just adding SPF records for
> your domain so other servers that do check SPF records will allow you??

Publishing an SPF record.

-j

--
Jeffrey Goldberg http://www.goldmark.org/jeff/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of james.hutchinson
> Sent: Wednesday, June 16, 2004 8:49 AM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] SPF Distinction
>
>
> Hello Mark I have generated this (presuming you are using bind)
>
> wyg.com. IN TXT "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
> ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
> ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
> ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
> ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
> ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
> ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
> ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
> include:ocean-bridge.co.uk -all"
>
> On the spf.pobox website I sent earlier.
>
> This is based on all of wyg's WAN ip addresses namely;
>
> 195.92.113.48/29
> 195.92.127.80/30
> 194.152.70.252/30
> 195.92.33.80/30
> 194.152.95.240/30
> 194.152.95.244/30
> 60.77.184.0/30
> 195.92.116.40/30
> 194.152.81.40/30
> 195.92.150.8/30
> 213.94.199.24/30
> 195.7.254.60/30
> 195.92.92.16/30
> 194.152.81.32/30
> 194.152.81.48/30
> 217.206.89.144/30
> 195.92.116.32/30
> 195.92.116.8/30
> 217.40.50.248/30
> 195.92.116.28/30
> 195.92.116.24/30
> 195.92.33.64/30
> 195.92.242.72/30
>
> Could you please create this SPF record for wyg.com please. If need any
> more info or to discuss this further my number is 01132192500.
>
> Regards,
>
> James.

Um, I don't think this is going to work. First, ocean-bridge.co.uk doesn't
appear to publish an SPF record, see:

http://us.mirror.menandmice.com/cgi-bin/DoDig?host=&domain=ocean-bridge.co.u
k&type=TXT&recur=on

or http://tinyurl.com/3ekgz

so the include is going to error.

Also, you want to limit the record to the addresses that actually send mail,
generally not all the valid IP addresses for the network.

Finally, the owner of the DNS record for wyg.com (THEPLANET.NET I gather
from whois) will have to publish the SPF record. They may allow this to be
done by they customer through a control panel of some kind or you may have
to contact them via tech support.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 16 June 2004 04:17 am, Edward Brookhouse wrote:
> Is there any method of distinguishing between (conversationally spekaing)
> setting up an email server that checks SPF vs. just adding SPF records
> for your domain so other servers that do check SPF records will allow
> you??
>

You've seen other replies, but allow me to elaborate why there is a
difference.

When you publish SPF, you are telling others what servers are allowed to
send email for your domain. Our goal is to get everyone to publish SPF
records ASAP. The more people publish, the more useful SPF checking will
be.

SPF checking is really a big topic. It can be done anytime -- even before
the email is sent. Right now, most people are just adding a header
"Received-SPF" that details the results of the SPF check. In the future,
people will start discarding unauthorized email, including email for
domains that don't publish SPF records.

We will be able to start doing domain-based email filtering. That means that
people's domain names will have real value in the email world. Any old joe
won't be able to send email claiming to be from Amazon, so all email from
Amazon is really from Amazon. If Amazon sends spam that no one wants, their
reputation will go down, and people may start discarding our email
outright. On the other hand, if Amazon is responsible, then people will
accept our email, and may be willing to look over a few lapses.

The most important checking will be done by police. They can determine if
an illegal email originated from the domain owner or just the server. If it
was authorized by SPF, then they can go look up the name and address of the
domain owner. In the end, they can knock on someone's door and toss them in
jail.

So, SPF will only be completely successful when people who abuse email
publish their SPF records.

We encourage you to publish SPF records for all domains you own, even if it
is just to say "I don't send email from this domain." We also encourage you
to spread the word about SPF and get others to do the same.

The SPF checking part will come later. You can help with testing and such,
but we aren't pushing people to do it yet.

- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard@amazon.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA0Jv3BFeYcclU5Q0RAovlAKDEHvtaaSfDPdWBtKx2jEoDaBB2WwCgxa6U
+zsFJQjt75e9xfu+r4QcIps=
=eSj1
-----END PGP SIGNATURE-----

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

james.hutchinson wrote:

> "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
> ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
> ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
> ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
> ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
> ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
> ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
> ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
> include:ocean-bridge.co.uk -all"

See Scott's answer for this huge construct. Simple question,
is it possible to use something like...

"v=spf1 -ip4:195.92.120.0/24 +ip4:195.92.0.0/16 -all" to allow
almost all 195.92.*.* IPs explicitly excluding 195.92.120.* ?

Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 03:11 am, Frank Ellermann wrote:
> james.hutchinson wrote:
> > "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
> > ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
> > ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
> > ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
> > ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
> > ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
> > ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
> > ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
> > include:ocean-bridge.co.uk -all"
>
> See Scott's answer for this huge construct. Simple question,
> is it possible to use something like...
>
> "v=spf1 -ip4:195.92.120.0/24 +ip4:195.92.0.0/16 -all" to allow
> almost all 195.92.*.* IPs explicitly excluding 195.92.120.* ?
>

Even simpler question: Why are you sending email from so many different
servers? All of Amazon's mass mail is sent out with a handful of servers.

Either you need to consolidate your mail servers, or just have all these
mail servers send out through a farm of a few mail servers.

- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard@amazon.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA0hsaBFeYcclU5Q0RApW+AJ9WNBl4/NDJUpIcjCwGxIh78mWPXgCbBjyY
oKe01LVnDH0g3dbTwyHD3Ok=
=0s5R
-----END PGP SIGNATURE-----

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Jonathan Gardner wrote:

> Even simpler question: Why are you sending email from so
> many different servers?

I don't, and my question was theoretical. Here's a better
version:

"v=spf1 -ip4:195.92.120.0/31 +ip4:195.92.120.0/28 -all"

Is that possible ? At least its shorter than a similar...
ip4:195.92.120.2/31 ip4:195.92.120.4/30 ip4:195.92.120.8/29

> All of Amazon's mass mail is sent out with a handful of
> servers.

Yes, but if I'd be a customer using these servers without
any clue, then I'd try something like ip4:207.171.0.0/16 ;-)

And this would be even better than no SPF record at all.
Trying to guess 207.171.160.0/23 missing 207.171.190.0/24
could be harder to debug.
Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Jonathan,

Are presuming that my network infrastructure is analogus to yours ?

Each of the ranges of IP addresses listed below are valid mail servers
for my domain. Is it possible to publish sufficient information in DNS
to enable these servers to send to spf enabled hosts?

Kind Regards,

James.



-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Jonathan Gardner
Sent: 17 June 2004 23:29
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Re: SPF Distinction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 03:11 am, Frank Ellermann wrote:
> james.hutchinson wrote:
> > "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
> > ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
> > ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
> > ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
> > ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
> > ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
> > ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
> > ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
> > include:ocean-bridge.co.uk -all"
>
> See Scott's answer for this huge construct. Simple question, is it
> possible to use something like...
>
> "v=spf1 -ip4:195.92.120.0/24 +ip4:195.92.0.0/16 -all" to allow almost
> all 195.92.*.* IPs explicitly excluding 195.92.120.* ?
>

Even simpler question: Why are you sending email from so many different
servers? All of Amazon's mass mail is sent out with a handful of
servers.

Either you need to consolidate your mail servers, or just have all these
mail servers send out through a farm of a few mail servers.

- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard@amazon.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA0hsaBFeYcclU5Q0RApW+AJ9WNBl4/NDJUpIcjCwGxIh78mWPXgCbBjyY
oKe01LVnDH0g3dbTwyHD3Ok=
=0s5R
-----END PGP SIGNATURE-----

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 18 June 2004 01:01 am, james.hutchinson wrote:
> Jonathan,
>
> Are presuming that my network infrastructure is analogus to yours ?
>
> Each of the ranges of IP addresses listed below are valid mail servers
> for my domain. Is it possible to publish sufficient information in DNS
> to enable these servers to send to spf enabled hosts?
>

Sorry for taking so long, I lost your email in the rush.

It would depend on the name of the servers. If they had all similar names,
you could use 'ptr'. You can also use 'include' and then have SPF records
defined in other domains. Or you could use 'exists' and a specialised DNS
server.

Or you can try to limit the number of email servers that send email for you.
I think that is the wisest decision. Fewer machines means less maintenance
and management.

> Kind Regards,
>
> James.
>
>
>
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com] On Behalf Of Jonathan Gardner
> Sent: 17 June 2004 23:29
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] Re: SPF Distinction
>
> On Thursday 17 June 2004 03:11 am, Frank Ellermann wrote:
> > james.hutchinson wrote:
> > > "v=spf1 ip4:195.92.113.48/29 ip4:195.92.127.80/30
> > > ip4:194.152.70.252/30 ip4:195.92.33.80/30 ip4:194.152.95.240/30
> > > ip4:194.152.95.244/30 ip4:60.77.184.0/30 ip4:195.92.116.40/30
> > > ip4:194.152.81.40/30 ip4:195.92.150.8/30 ip4:213.94.199.24/30
> > > ip4:195.7.254.60/30 ip4:195.92.92.16/30 ip4:194.152.81.32/30
> > > ip4:194.152.81.48/30 ip4:217.206.89.144/30 ip4:195.92.116.32/30
> > > ip4:195.92.116.8/30 ip4:217.40.50.248/30 ip4:195.92.116.28/30
> > > ip4:195.92.116.24/30 ip4:195.92.33.64/30 ip4:195.92.242.72/30 ptr
> > > include:ocean-bridge.co.uk -all"
> >
> > See Scott's answer for this huge construct. Simple question, is it
> > possible to use something like...
> >
> > "v=spf1 -ip4:195.92.120.0/24 +ip4:195.92.0.0/16 -all" to allow almost
> > all 195.92.*.* IPs explicitly excluding 195.92.120.* ?
>
> Even simpler question: Why are you sending email from so many different
> servers? All of Amazon's mass mail is sent out with a handful of
> servers.
>
> Either you need to consolidate your mail servers, or just have all these
> mail servers send out through a farm of a few mail servers.

- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard@amazon.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA3I+lBFeYcclU5Q0RAgMVAKDkQVuKgUm0M07kH9e20d96LY/AjwCcC6HD
0yM4hGS8sHhgPuprvf80gyc=
=gG6C
-----END PGP SIGNATURE-----

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com