Mailing List Archive: SPF: Discuss

[Fwd: How to mark domains that do / do not wish to receive email]

Index | Next | Previous | View Threaded

vesely at tana

Mar 26, 2008, 7:34 PM

Post #1 of 5 (509 views)
Permalink

[Fwd: How to mark domains that do / do not wish to receive email]

AFAIK, SPF specs still mandate to add a TXT or SPF record for each
subdomain. IME, that is one of the most frequent omissions in SPF
configurations. The current spec requires an SPF record for each
name that has either an MX or an A record. Except for tiny domains,
that requires a script, which is probably why many admins skip it.

http://www.openspf.org/FAQ/The_demon_question mentions "v=spf1 -all"
as a suitable default text for wildcards.

The message I'm forwarding is about a related mail DNS setting, MX.
I wonder if next SPF update shouldn't change that point also. IMHO,
a default more appropriate than "?all" might be preferrable. (E.g.,
an additional "default" modifier, appended to a domain's SPF record,
could state that the last mechanism is to be assumed as the default
for subdomains that actually lack any TXT or SPF record.)

BTW, is there a draft and/or a schedule for next SPF spec update?

-------- Original Message --------
Subject: How to mark domains that do / do not wish to receive email
Date: Wed, 26 Mar 2008 20:46:57 -0400
From: John Leslie <john[at]jlc.net>
To: Mark Andrews <Mark_Andrews[at]isc.org>
CC: ietf-smtp[at]imc.org, Bill Manning <bmanning[at]ISI.EDU>

(I asked Mark to discuss this on <ietf-smtp> -- I'll provide context
where it seems needed...)

Mark Andrews <Mark_Andrews[at]isc.org> wrote:
> To: John Leslie <john[at]jlc.net>
>> Mark Andrews <Mark_Andrews[at]isc.org> wrote:
>>> SM <sm[at]resistor.net> wrote:
>>>> Mark Andrews <Mark_Andrews[at]isc.org> wrote:
>>>>
>>>>> It is easy to turn "MX 0 ." into "This domain doesn't support
>>>>> email" as "." is not confusable with a hostname. There is no
>>>>> reason to look up addresses records for "."
>>>>
>>>> There was an I-D, draft-delany-nullmx-00, which didn't make it
>>>> to RFC status.
>>>>
>>>>> Which could just be a misconfiguration. You still have to
>>>>> look up addresses for "dev.null".
>>>>
>>>> Yes. People still do it.
>>>
>>> Yes they do. We, the IETF, have failed them by not providing
>>> them with a clear mechanism to do what they want without bad
>>> side effects.

(The above is to give context.)

>> I well remember DNS gurus trying to deprecate the use of "."
>> wherever it might lead to queries to root servers for "." Is
>> this no longer an issue?
>
> SRV say to use "." for "no service".

This is indeed specified in RFC 2782.

> RP say to use "." for "does not exist".

I think Mark means Responsible Person (RFC 1183).

> There are already queries for A and AAAA queries for ".".
> Codifing the use of "MX 0 ." will, in the long run, reduce
> the number of such queries as MTA's get updated.

I'm pretty sure Mark means that the additional usage will speed
the update of MTAs which now query for "." to stop making this
useless query.

> The roots can handle the query load in the mean time.

Mark is more of a DNS guru than I, certainly, so I tend to assume
he's right about this.

However, widespread usage of this convention _could_ generate
rather a lot of potenital DNS queries as spammers continue to forge
Mail-From addresses which domain administrators attempt to mark as
"no incoming email accepted".

(The volume of spam blowback dwarfs any current use of SRV and
RP records.)

>> I'm very confused that Bill Manning seems to be calling for
>>
>> * MX .
>
> I think you mean "* MX 0 ."

(Indeed, I erred in typing this.)

> and Bill was not saying that.

Frankly, I have a lot of difficulty understanding _what_ Bill
Manning was saying, except that he didn't want to publish MX records.
I guessed he might mean that anyone who _didn't_ want a machine
probed for a port-25 server should publish MX records to say so.
(But, of course, he might just as well have meant you should block
port 25 -- I really don't know...)

> Bill knows that a wildcard record will not have the desired
> effect. Adding a "MX 0 ." record along side a existing
> record will have the desired effect.

(Actually, I doubt that either Mark or I should attempt to speak
for Bill.)

>>> It will be needed even *after* IPv6 takes over. There will
>>> be lots of queries for A records long after the majority
>>> of hosts don't have A records.

This is getting back to Mark's actual point -- that queries for
A (and/or AAAA) records for domains that don't want to participate
in SMTP is a bad use of the DNS system.

I quite agree.

>>> We need to remove the implict MX from A to prevent the A
>>> record lookups occuring as things currently stand.

I don't agree with "need to"; but I do think the SMTP world would
be a better place if we did.

--
John Leslie <john[at]jlc.net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

nobody at xyzzy

Mar 27, 2008, 10:32 AM

Post #2 of 5 (486 views)
Permalink

Re: How to mark domains that do / do not wish to receive email] [In reply to]

Alessandro Vesely wrote:

> AFAIK, SPF specs still mandate to add a TXT or SPF record for each
> subdomain. IME, that is one of the most frequent omissions in SPF
> configurations. The current spec requires an SPF record for each
> name that has either an MX or an A record. Except for tiny domains,
> that requires a script, which is probably why many admins skip it.

Nobody is forced to publish a sender policy. When folks do it
they will hopefully cover their HELOs and their mail addresses.

They can cover other A or AAAA domains like www.example, but it
is not strictly necessary when www.example has no MX and no SMTP.

"v=spf1 -all" can be good, it allows to reject forged mail from
any[at]www.example. The owners could also decide that misdirected
bounces to any[at]www.example are no problem from their POV without
MX for or SMTP at www.example.

> IMHO, a default more appropriate than "?all" might be preferrable.

Changing the default for v=spf1 would break an unknown number of
existing policies violating the SHOULD in RFC 4408 chapter 4.7.

'More appropriate than "?all"', see ? You dare not say "-all",
it could cause havoc for the idio^Wfolks not reading chapter 4.7.

> an additional "default" modifier, appended to a domain's SPF
> record, could state that the last mechanism is to be assumed
> as the default for subdomains that actually lack any TXT or SPF
> record.

Won't fly for various reasons. On the harmless end, in 2003 SPF
already had a "default=", deprecated in 2004, later removed:
<http://tools.ietf.org/html/draft-mengwong-spf-01#section-5>

Then what you want is to cover subdomains. That needs the old
zone cut idea, after all we can't have say verisign define some
sitefind^Wdefault for *.net and *.com. Namedroppers tortured
Wayne to give up on zone cuts, that's why you don't find it in
RFC 4408. Council resolution, flames with Paul Vixie, obscure
op=nosub proposals for a tree walk alternative as in CSV, etc.

Finally the zone cut idea was pulled, and declared to be a very
dead horse in a very big rathole. If you only want wildcards
in parallel to an existing MX wildcard, sure, that's possible.

[.For SPF, for DKIM signing practises it's not because they put
their records at an _adsp._dkim.example subdomain below the
real domain.]

For v=spf1 it's also not really necessary, because SPF is not
about anti-phishing as primary goal, it is primarily about good
vs. misdirected bounces, and for that issue it is not necessary
to cover all A / AAAA without SMTP. Admittedly PRA could need
it, but PRA is another long story... ;-)

> is there a draft and/or a schedule for next SPF spec update?

No. A possible way forward could go like this: We somehow
figure out what to do with the last pending erratum, based on
that the test suite can be completed. Or vice versa. As soon
as the test suite is ready anybody who feels like it can post
a draft with some "lessons learned" from an implementation POV.

And/or, when the IESG and I'm ready with the news-nntp-uri I-D
I intend to update the spf-eai draft, adding an I18N discussion
for Received-SPF and Murray's Authentication-Results.

After that I promised to do something for the IDNA-alternatives
I-D, and if that doesn't result into other adventures I want to
rewrite the spf-options I-D almost from scratch, deprecating
the spf2.0/* zoo keeping only spf2.0/pra. I already wanted to
do that in 2007, but didn't get a grip on it, now I *think* it
is clear, this draft has to be a BCP creating a IANA registry
of SPF tags, modifiers, and options, for the shared use of the
SPF RR. Allowing to add v=spf3 and/or DKIM ADSP magic later.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

julian at mehnle

Mar 28, 2008, 10:03 AM

Post #3 of 5 (484 views)
Permalink

Re: How to mark domains that do / do not wish to receive email [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alessandro Vesely wrote:
> BTW, is there a draft and/or a schedule for next SPF spec update?

For the record: There are no periodic SPF spec updates. For the
foreseeable future, RFC 4408 is final. Right now it isn't even clear
whether there will ever be a refreshed "v=spf1" RFC under the IETF's
purview given their extreme skepticism about SPF.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7STxwL7PKlBZWjsRAr6sAKC7xXFa7bRbYNVb0rT0UiR3WrrEBgCgk273
/tWcpgXPjstrFtZbeY6jcoc=
=9CYJ
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

vesely at tana

Mar 31, 2008, 12:43 AM

Post #4 of 5 (478 views)
Permalink

Re: Re: How to mark domains that do / do not wish to receive email] [In reply to]

Frank Ellermann wrote:
> Alessandro Vesely wrote:
>
>> AFAIK, SPF specs still mandate to add a TXT or SPF record for each
>> subdomain. IME, that is one of the most frequent omissions in SPF
>> configurations. The current spec requires an SPF record for each
>> name that has either an MX or an A record. Except for tiny domains,
>> that requires a script, which is probably why many admins skip it.
>
> Nobody is forced to publish a sender policy. When folks do it
> they will hopefully cover their HELOs and their mail addresses.

That implies the main usage for SPF is to discard misdirected bounces.

> They can cover other A or AAAA domains like www.example, but it
> is not strictly necessary when www.example has no MX and no SMTP.
>
> "v=spf1 -all" can be good, it allows to reject forged mail from
> any[at]www.example.

That causes no harm to the owners of the example domain, correct?

> The owners could also decide that misdirected
> bounces to any[at]www.example are no problem from their POV without
> MX for or SMTP at www.example.

Why would they do so? That decision can be a problem for other
domains, who will accept mail from any[at]www.example as policy "neutral".

>> IMHO, a default more appropriate than "?all" might be preferrable.
>
> Changing the default for v=spf1 would break an unknown number of
> existing policies violating the SHOULD in RFC 4408 chapter 4.7.

Agreed

> 'More appropriate than "?all"', see ? You dare not say "-all",
> it could cause havoc for the idio^Wfolks not reading chapter 4.7.

:-)

>> an additional "default" modifier [...]
> Won't fly for various reasons. [...]
> Finally the zone cut idea was pulled, and declared to be a very
> dead horse in a very big rathole.

That's true, I found the resolution here
http://www.openspf.org/Council_Resolution/21

> For v=spf1 it's also not really necessary, because SPF is not
> about anti-phishing as primary goal, it is primarily about good
> vs. misdirected bounces, and for that issue it is not necessary
> to cover all A / AAAA without SMTP.

Hm... that sounds like an undue limitation to SPF.

An alternative to having a zone cut is to campaign for the addition of
"mail" RRs for each A record. A "mail" RR should be an SPF/TXT "v=spf1
-all", an MX 0 521-smtp-stub.example.com, or similar stuff. Would that
be any better for either the domain owners or the mail community as a
whole?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

nobody at xyzzy

Mar 31, 2008, 11:03 PM

Post #5 of 5 (481 views)
Permalink

Re: How to mark domains that do / do not wish to receive email] [In reply to]

Alessandro Vesely wrote:

>> Nobody is forced to publish a sender policy. When folks do it
>> they will hopefully cover their HELOs and their mail addresses.

> That implies the main usage for SPF is to discard misdirected
> bounces.

SPF PASS also has its uses, also in policies without FAIL. After
a PASS *not* sending a non-delivery report and drop the mail would
be really odd. I'd say SPF is pro "good" and anti "bad" bounces.

Only discarding misdirected bounces after the fact, that is BATV,
and BATV is better than SPF for this narrow purpose, where it can
be used. BATV tries to cure the symptom, SPF tries to cure the
disease. Trying both simultaneously is also fine... ;-)

>> "v=spf1 -all" can be good, it allows to reject forged mail from
>> any[at]www.example.

> That causes no harm to the owners of the example domain, correct?

Yes.

>> The owners could also decide that misdirected bounces to
>> any[at]www.example are no problem from their POV without MX for or
>> SMTP at www.example.

> Why would they do so? That decision can be a problem for other
> domains, who will accept mail from any[at]www.example

They could do this if publishing hundreds or thousands of "-all"
policies indicating "doesn't send mail" is an administrative pain.

Spammers are interested to forge plausible addresses, an A or AAAA
without MX or SMTP isn't good enough for "call back verification",
and therefore protecting it might be pointless. Assumptions about
spammers and CBV are of course shaky, spamers do whatever works
for them, and "plausibility" might not enter the (their) picture.

> An alternative to having a zone cut is to campaign for the addition
> of "mail" RRs for each A record. A "mail" RR should be an SPF/TXT
> "v=spf1 -all", an MX 0 521-smtp-stub.example.com, or similar stuff.

> Would that be any better for either the domain owners or the mail
> community as a whole?

After a long battle about "MX required for IPv6 in 2821bis" after
Keith decided to give up on saying this in 2821bis I also gave up :-(

Some folks would support a separate RFC saying this about IPv6.

For IPv4 the nullmx idea might be okay, see the discussion on the
SMTP list. For IPv6 I don't see why billions of toasters and other
devices should need a nullmx to "opt out" from mail. It is better
than "v=spf1 -all" for two reasons I'm aware of, but for IPv6 I'd
prefer a mandatory MX as "opt in".

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com