nanog mailing list archives

Re: Mailing list SPF Failure

From: Michael Thomas <mike () mtcc com>
Date: Thu, 16 May 2024 19:27:50 -0700


On 5/16/24 7:22 PM, Scott Q. wrote:

Mike, you do realize Google/Gmail rejects e-mails with invalid/missingSPF right ?

I was receiving the mail while NANOG had no SPF record, so no? Anyreceiver would be really stupid take a single signal as disqualifying.


Mike

If you want to tell them they're broken...there's a few guys on thelist here.


On Thursday, 16/05/2024 at 19:17 Michael Thomas wrote:

    On 5/16/24 3:54 PM, William Herrin wrote:
    > On Thu, May 16, 2024 at 12:03 PM John Levine <johnl () iecc com
    <mailto:johnl () iecc com>> wrote:
    >> It appears that Michael Thomas <mike () mtcc com
    <mailto:mike () mtcc com>> said:
    >>> Since probably 99% of the mail from NANOG is through this list, it
    >>> hardly matters since SPF will always fail.
    >> Sorry, but no. A mailing list puts its own envelope return
    address on
    >> the message so with a reasonable SPF record, SPF will normally
    >> succeed.
    > Exactly. SPF acts on the -envelope- sender. That means the one
    > presented in the SMTP From:<> command. For mail from nanog, that's:
    > nanog-bounces+address () nanog org
    <mailto:nanog-bounces+address () nanog org>, regardless of what the
    sender's
    > header From address is.
    >
    > The message content (including the message headers) is theoretically
    > not used for SPF validation. In practice, some SPF validators don't
    > have direct access to the SMTP session so they rely on the SMTP
    > session placing the envelope sender in the Return-path header.

    Yes, and why is that needed? The mailing list resigning has the same
    effect and then you only need one mechanism instead of two and
    with DKIM
    you get the benefit that it's signing the 822 address which can be
    used
    for user level stuff in way that SPF is a little sus. So it makes SPF
    pretty irrelevant. IMO, SPF was always a stopgap since there was no
    guarantee that DKIM would be deployed. 20 years on, I guess I
    don't feel
    like I need to keep my trap shut about that.

    If a receiving site is rejecting something solely based on the
    lack of a
    SPF record but has a valid DKIM signature, the site is broken IMO.

    Mike

Current thread:

Re: Mailing list SPF Failure, (continued)
- - - Re: Mailing list SPF Failure John Levine (May 16)
    - Re: Mailing list SPF Failure William Herrin (May 16)
    - Re: Mailing list SPF Failure John R. Levine (May 16)
    - Re: Mailing list SPF Failure Scott Q. (May 16)
    - Re: Mailing list SPF Failure John R. Levine (May 16)
    - Re: Mailing list SPF Failure Michael Thomas (May 16)
    - Re: Mailing list SPF Failure Tom Beecher (May 16)
    - Re: Mailing list SPF Failure Tom Beecher (May 16)
    - Re: Mailing list SPF Failure Michael Thomas (May 16)
    - Re: Mailing list SPF Failure Scott Q. (May 16)
    - Re: Mailing list SPF Failure Michael Thomas (May 16)
    - Re: Mailing list SPF Failure Karl Auer (May 16)
    - Re: Mailing list SPF Failure Hank Nussbacher (May 16)
    - Re: Mailing list SPF Failure Karl Auer (May 17)