Re: do you use SPF TXT RRs? (RFC4408)

[Douglas Otis <dotis () mail-abuse org>]

 On 10/4/10 6:55 PM, Kevin Stange wrote:
> The most common situation where another host sends on your domain's
> behalf is a forwarding MTA, such as NANOG's mailing list.  A lot of MTAs
> will only trust that the final MTA handling the message is a source
> host.  In the case of a mailing list, that's NANOG's server.  All
> previous headers are untrustworthy and could easily be forged.  I'd bet
> few, if any, people have NANOG's servers listed in their SPF, and
> delivering a -all result in your SPF could easily cause blocked mail for
> anyone that drops hard failing messages.
Kevin,

nanog.org nor mail-abuse.org publish spf or txt records containing spf 
content.  If your MTA expects a message's MailFrom or EHLO be confirmed 
using spf, then you will not receive this message, refuting "a lot of 
MTAs ...".

This also confuses SPF with Sender-ID. SPF confirms the EHLO and 
MailFrom, whereas Sender-ID confirms the PRA.  However, the PRA 
selection is flawed since it permits forged headers most consider to be 
the originator.  To prevent Sender-ID from misleading recipients or 
failing lists such as nanog.org, replicate SPF version 2 records at the 
same node declaring mfrom.  This is required but doubles the DNS 
payload. :^(   Many consider -all to be an ideal, but this reduces 
delivery integrity.  MailFrom local-part tagging or message id 
techniques can instead reject spoofed bounces without a reduction in 
delivery integrity.

-Doug