nanog mailing list archives
Re: do you use SPF TXT RRs? (RFC4408)
From: Douglas Otis <dotis () mail-abuse org>
Date: Tue, 05 Oct 2010 10:43:23 -0400
On 10/4/10 6:55 PM, Kevin Stange wrote:
The most common situation where another host sends on your domain's behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs will only trust that the final MTA handling the message is a source host. In the case of a mailing list, that's NANOG's server. All previous headers are untrustworthy and could easily be forged. I'd bet few, if any, people have NANOG's servers listed in their SPF, and delivering a -all result in your SPF could easily cause blocked mail for anyone that drops hard failing messages.
Kevin,nanog.org nor mail-abuse.org publish spf or txt records containing spf content. If your MTA expects a message's MailFrom or EHLO be confirmed using spf, then you will not receive this message, refuting "a lot of MTAs ...".
This also confuses SPF with Sender-ID. SPF confirms the EHLO and MailFrom, whereas Sender-ID confirms the PRA. However, the PRA selection is flawed since it permits forged headers most consider to be the originator. To prevent Sender-ID from misleading recipients or failing lists such as nanog.org, replicate SPF version 2 records at the same node declaring mfrom. This is required but doubles the DNS payload. :^( Many consider -all to be an ideal, but this reduces delivery integrity. MailFrom local-part tagging or message id techniques can instead reject spoofed bounces without a reduction in delivery integrity.
-Doug
Current thread:
- Re: do you use SPF TXT RRs? (RFC4408), (continued)
- Re: do you use SPF TXT RRs? (RFC4408) Michael Loftis (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) bmanning (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Rich Kulawiec (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Douglas Otis (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Suresh Ramasubramanian (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Greg Whynott (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) William Herrin (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Tony Finch (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Kevin Stange (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Stefan Bethke (Oct 05)
- Re: do you use SPF TXT RRs? (RFC4408) Douglas Otis (Oct 05)
- re: do you use SPF TXT RRs? (RFC4408) Nick Olsen (Oct 04)
- RE: do you use SPF TXT RRs? (RFC4408) Nathan Eisenberg (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Jared Mauch (Oct 04)
- RE: do you use SPF TXT RRs? (RFC4408) Nathan Eisenberg (Oct 04)