Mailing List Archive

Dave Topping (W) wrote:

> davetopping.com is my personal domain and lives on three
> sets of DNS, which I send mail from. IP's are
> 209.123.115.124, 69.72.250.51, 207.99.35.160.

That corresponds to the "a" in your sender policy.

The "mx" covers mail0 69.72.240.74, mail10 207.99.35.2, and
mail20 209.123.115.2

I don't see any reason for "ptr", if you're not sure why
you want this remove it.

> I also use www.cotse.net to send mail. Cotse has two
> mailservers.

But they have no sender policy, therefore you can't include
it. If you know these mailservers by name simply add these
names, e.g. "a:mailhost.cotse.net a:smtp.cotse.net".

> "v=spf1 a mx ptr include:mailhost.cotse.com -all v=spf1 a
> mx ptr include:www.cotse.net -all"

Anything after the first all is ignored. You want something
like "v=spf1 a mx a:mailhost.cotse.net a:smtp.cotse.net -all"

If you're ready with your policy test it for all relevant IPs
(3+3+2 in your case ?) and a MAIL FROM:<test@davetopping.com>
on <http://spf.pobox.com/why.html> or a similar service.

Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Frank Ellermann
> Sent: Wednesday, August 11, 2004 11:07 AM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Re: Seeking help regarding SPF records
>
>
> Dave Topping (W) wrote:
>
> > davetopping.com is my personal domain and lives on three
> > sets of DNS, which I send mail from. IP's are
> > 209.123.115.124, 69.72.250.51, 207.99.35.160.
>
> That corresponds to the "a" in your sender policy.
>
> The "mx" covers mail0 69.72.240.74, mail10 207.99.35.2, and
> mail20 209.123.115.2
>
> I don't see any reason for "ptr", if you're not sure why
> you want this remove it.
>
> > I also use www.cotse.net to send mail. Cotse has two
> > mailservers.
>
> But they have no sender policy, therefore you can't include
> it. If you know these mailservers by name simply add these
> names, e.g. "a:mailhost.cotse.net a:smtp.cotse.net".
>
> > "v=spf1 a mx ptr include:mailhost.cotse.com -all v=spf1 a
> > mx ptr include:www.cotse.net -all"
>
> Anything after the first all is ignored. You want something
> like "v=spf1 a mx a:mailhost.cotse.net a:smtp.cotse.net -all"
>
> If you're ready with your policy test it for all relevant IPs
> (3+3+2 in your case ?) and a MAIL FROM:<test@davetopping.com>
> on <http://spf.pobox.com/why.html> or a similar service.
>
> Bye, Frank
>
>
You may want to consider something like "v=spf1 a mx ?a:mailhost.cotse.net
?a:smtp.cotse.net -all" if there is a chance that others might be able to
forge your domain at cotse.net.

An SPF pass is supposed to mean that the message is not forged and the
domain owner takes responsibility for the message. If others can forge your
domain a particular SMTP server, you may want to avoid giving messages from
that server a pass.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

<Quoting> Frank Ellermann</Quoting>
> Dave Topping (W) wrote:
>
>> davetopping.com is my personal domain and lives on three
>> sets of DNS, which I send mail from. IP's are
>> 209.123.115.124, 69.72.250.51, 207.99.35.160.
>
> That corresponds to the "a" in your sender policy.
>
> The "mx" covers mail0 69.72.240.74, mail10 207.99.35.2, and
> mail20 209.123.115.2
>
> I don't see any reason for "ptr", if you're not sure why
> you want this remove it.
>
>
>
>> "v=spf1 a mx ptr include:mailhost.cotse.com -all v=spf1 a
>> mx ptr include:www.cotse.net -all"
>
> Anything after the first all is ignored. You want something
> like "v=spf1 a mx a:mailhost.cotse.net a:smtp.cotse.net -all"
>
> If you're ready with your policy test it for all relevant IPs
> (3+3+2 in your case ?) and a MAIL FROM:<test@davetopping.com>
> on <http://spf.pobox.com/why.html> or a similar service.
>
> Bye, Frank




Frank

Thanks for your help.

The one thing I don't understand is why you say 3+3+2 for IP's? I only
have three IP addresses.

Regards

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

<Quoting> spf@kitterman.com</Quoting>
>>
>>
>> If you're ready with your policy test it for all relevant IPs
>> (3+3+2 in your case ?) and a MAIL FROM:<test@davetopping.com>
>> on <http://spf.pobox.com/why.html> or a similar service.
>>
>> Bye, Frank
>>
>>
> You may want to consider something like "v=spf1 a mx ?a:mailhost.cotse.net
> ?a:smtp.cotse.net -all" if there is a chance that others might be able to
> forge your domain at cotse.net.
>
> An SPF pass is supposed to mean that the message is not forged and the
> domain owner takes responsibility for the message. If others can forge
> your
> domain a particular SMTP server, you may want to avoid giving messages
> from
> that server a pass.
>
> Scott Kitterman
>


What does the '?' mean before the 'a' please?

Thanks

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Dave Topping (W)
> Sent: Wednesday, August 11, 2004 1:04 PM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] Re: Seeking help regarding SPF records
>
>
>
> <Quoting> Scott Kitterman</Quoting>
> >>
> >>
> >> If you're ready with your policy test it for all relevant IPs
> >> (3+3+2 in your case ?) and a MAIL FROM:<test@davetopping.com>
> >> on <http://spf.pobox.com/why.html> or a similar service.
> >>
> >> Bye, Frank
> >>
> >>
> > You may want to consider something like "v=spf1 a mx
> ?a:mailhost.cotse.net
> > ?a:smtp.cotse.net -all" if there is a chance that others might
> be able to
> > forge your domain at cotse.net.
> >
> > An SPF pass is supposed to mean that the message is not forged and the
> > domain owner takes responsibility for the message. If others can forge
> > your
> > domain a particular SMTP server, you may want to avoid giving messages
> > from
> > that server a pass.
> >
> > Scott Kitterman
> >
>
>
> What does the '?' mean before the 'a' please?
>
> Thanks

Sorry, it means Neutral.

The SPF spec says:

Neutral (?): The SPF client MUST proceed as if a domain did not
publish SPF data.

I take this to mean that yes, this is a permitted sender (so don't reject it
as a forgery), but I can't guarantee that mail from this sender isn't
forged, so don't blame me if you get something bad from here. Go ahead and
screen/filter this message just like I didn't do SPF.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

<Quoting> spf@kitterman.com</Quoting>
>> What does the '?' mean before the 'a' please?
>>
>> Thanks
>
> Sorry, it means Neutral.
>
> The SPF spec says:
>
> Neutral (?): The SPF client MUST proceed as if a domain did not
> publish SPF data.
>
> I take this to mean that yes, this is a permitted sender (so don't reject
> it
> as a forgery), but I can't guarantee that mail from this sender isn't
> forged, so don't blame me if you get something bad from here. Go ahead
> and
> screen/filter this message just like I didn't do SPF.
>
> Scott Kitterman
>
> -------


Thanks for that. Have you got recommended reading? I couldn't find that on
spf.pobox.com.

Thanks

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Dave Topping (W)
> Sent: Wednesday, August 11, 2004 2:01 PM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] Re: Seeking help regarding SPF records
>
>
>
>
> <Quoting> Scott Kitterman/Quoting>
> >> What does the '?' mean before the 'a' please?
> >>
> >> Thanks
> >
> > Sorry, it means Neutral.
> >
> > The SPF spec says:
> >
> > Neutral (?): The SPF client MUST proceed as if a domain did not
> > publish SPF data.
> >
> > I take this to mean that yes, this is a permitted sender (so
> don't reject
> > it
> > as a forgery), but I can't guarantee that mail from this sender isn't
> > forged, so don't blame me if you get something bad from here. Go ahead
> > and
> > screen/filter this message just like I didn't do SPF.
> >
>
> Thanks for that. Have you got recommended reading? I couldn't find that on
> spf.pobox.com.
>
> Thanks

http://spf.pobox.com/rfcs.html

particularly,

http://spf.pobox.com/spf-draft-200406.txt

since "SPF Classic" is what is currently being deployed by everyone.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Wed, Aug 11, 2004 at 06:04:29PM +0100, Dave Topping (W) wrote:
> What does the '?' mean before the 'a' please?

There _is_ a friendly manual available on
http://spf.pobox.com/mechanisms.html

!!

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Dave Topping (W) wrote:

> The one thing I don't understand is why you say 3+3+2 for
> IP's? I only have three IP addresses.

You have 3 IPs, 3 MX resulting in 3 more IPs, and 2 cotse
servers. If you're sure that your MX never _send_ a mail
with MAIL FROM:<whatever@davetopping.com>, and that they
don't use your domain in HELO davetopping.com MAIL FROM:<>
(= a bounce), then you don't need the "mx" (3 IPs) at all.

This can reduce the load on your DNS servers for useless
MX queries by recipients trying to decode your sender
policy.

Scott's idea ?a:cotse instead of +a:cotse is a matter of
taste. For many internet users sender policies can only
indicate IPs _permitted_ to send MAIL FROM a given domain.

If your cotse servers allow you to use any MAIL FROM, not
only whatever@davetopping.com, then the same is true for
other users of these servers, and they could forge your
MAIL FROM. If that's the case you could use ?a:cotse

OTOH you could also ignore this problem, if abuse@cotse
is a reliable service. And if you can't use any domain
in a MAIL FROM sent via cotse, then you definitely don't
need a ?a:cotse, and a:cotse is good enough.

Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

<Quoting> spf@kitterman.com</Quoting>
> http://spf.pobox.com/rfcs.html
>
> particularly,
>
> http://spf.pobox.com/spf-draft-200406.txt
>
> since "SPF Classic" is what is currently being deployed by everyone.
>
> Scott Kitterman
>


Scott:

Thanks. Final question (drumroll).

Does '?a:' mean 'ignore' or 'second check'?

Thanks

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Dave Topping
> Sent: Thursday, August 12, 2004 3:51 AM
> To: spf-help@v2.listbox.com
> Subject: RE: [spf-help] Re: Seeking help regarding SPF records
>
>
>
>
> <Quoting> spf@kitterman.com</Quoting>
> > http://spf.pobox.com/rfcs.html
> >
> > particularly,
> >
> > http://spf.pobox.com/spf-draft-200406.txt
> >
> > since "SPF Classic" is what is currently being deployed by everyone.
> >
> > Scott Kitterman
> >
>
>
> Scott:
>
> Thanks. Final question (drumroll).
>
> Does '?a:' mean 'ignore' or 'second check'?
>
> Thanks
>

It means pretend I don't to SPF at all (neither pass nor fail). If else in
the record matches, then reveivers are supposed to act just like they do if
you didn't have an SPF record at all.

From the spec:

Each mechanism is considered in turn from left to right.

When a mechanism is evaluated, one of three things can happen: it
can match, it can not match, or it can throw an exception.

If it matches, processing ends and the prefix value is returned as
the result of that record. (The default prefix value is "+".)

If it does not match, processing continues with the next mechanism.
If no mechanisms remain, the default result is specified in section
3.3.

So if some of the mechanisms in your record will cause a PASS, then you want
to list those first. Note, IIRC, there is at least one implementation that
looks at all the mechanisms in the record and returns the most favorable
result independent of order.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com