[Discussion] testing SPF

• Previous message: [Discussion] testing SPF
• Next message: [Discussion] testing SPF
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think it would have been nice if someone had posted a note on the  
> list that
> you would no longer be able to post without having SPF records for  
> your email
> account.

For about 3 years, we've had a standing policy that any sending  
domain matching a "*mail.*" pattern must meet certain criteria. Those  
criteria are:

- Has its own SPF record defined

OR

- Message sent from domain's MX/24 network (Meaning the mail is  
originating from the same network as the registered mail server(s)  
for the domain.)

OR

- Message sent from domain's A/24 network (Meaning the mail is  
originating from the network that contains the domain's address.)

OR

- rDNS of the sending IP matches the sending domain (Meaning the list  
of domains coming from a reverse lookup includes the sender's domain.)

What that boils down to is that for all "*mail.*" domains without an  
SPF record, we apply the equivalent of this SPF record:

"v=spf1 mx/24 a/24 ptr -all"

Why the special treatment of domains ending in "mail"? Because almost  
all of those domains are free-mail sites, which makes them a primary  
spoof ID for spammers. SPF helps us block those spoofs (of which  
there are a couple thousand a week coming into our server).

In the specific case of listemail.net, I'd guess pair.com decided to  
move their outgoing servers to a different network, and your troubles  
with our mail server's local policies began. Just to analyze the  
rejection:

 From DNS:
listemail.net.  IN A  64.130.41.253
listemail.net.  IN MX 50 umbar.pair.com.
umbar.pair.com. IN A  209.68.1.101
253.41.130.64.in-addr.arpa. IN PTR what4now.com.

 From our server's smtp logs, listemail.net is sending via  
209.68.5.16 and 209.68.5.9. (Those are relay02.pair.com and  
relay00.pair.com. There's also a relay01.pair.com at 209.68.5.15...  
and possibly a few more.)

So, processing the SPF for mail coming from 209.68.5.9 produces

... the mx/24 is 209.68.1.0/24 (the sending IP is not in that network)

... the a/24 is 64.130.41.0/24 (the sending IP is not in that network)

... the ptr finds 'relay00.pair.com' which doesn't match 'listemail.net'

... the '-all' says to reject the message

Your (new) SPF record for listemail.net is
"v=spf1 a:relay00.pair.com ~all"

That catches one of pair.com's outgoing servers. But there's more  
than one. Since they're all in the same network, you could add '/24'  
to that -- assuming your ISP doesn't harbor spammers -- and not worry  
about which random pair.com server decides to send your message:
"v=spf1 a:relay00.pair.com/24 ~all"

Or better still (so that spoofs of your domain can be actively blocked):
"v=spf1 a:relay00.pair.com/24 mx -all"

--Bill

• Previous message: [Discussion] testing SPF
• Next message: [Discussion] testing SPF
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]