Mailing List Archive: SPF: Help

Proxy spf records

Index | Next | Previous | View Threaded

johnp at idimo

Aug 10, 2005, 4:07 AM

Post #1 of 5 (846 views)
Permalink

Proxy spf records

Extracted from the spf-discuss list....

if the SPF
> community chose to assemble and publish proxy records for large ISPs
> that don't publish their own SPF records (e.g. something like
> "include:cox.net.proxy_records.openspf.org"), I'd be willing to use
> them if the DNS server setup for the proxy records looked reliable.

This is an option which I would be prepared to set up and administer, using input from all
those who are having such problems. I have a reliable DNS server (touch wood) and a remote
back-up, though I'd be happy if others would do further back-ups, or allow me access to do
it myself.

I will create TXT and SPF records for a subdomain of one of my own domains as proxy for
any domains that do not currently publish.

e.g. For comcast. and assuming I use spfhelp.net, I will add these lines to the zonefile
for spfhelp.net (thanks to ScottK for the IP ranges)

comcast.net.proxy.spfhelp.net. IN TXT "v=spf1 ?ip4:204.127.202.0/24
?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
comcast.net.spfhelp.net. IN SPF "v=spf1 ?ip4:204.127.202.0/24 ?ip4:204.127.198.0/24
?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"

Anyone needing to use comcast could therefore add include:comcast.net.proxy.spfhelp.net to
their record.

I will post all such proposed records here and on spf-help for comment, amendment, etc.,
prior to actually doing them. I will also use the least disruptive method os zonefile
editing by adjusting the ttl's as needed.

Comments, criticism, advice, offers of help all welcome ;-)

Slainte,
JohnP.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba

spf2 at kitterman

Aug 10, 2005, 5:01 AM

Post #2 of 5 (812 views)
Permalink

RE: Proxy spf records [In reply to]

>-----Original Message-----
>From: johnp [mailto:johnp[at]idimo.com]
>Sent: Wednesday, August 10, 2005 7:08 AM
>To: spf-help[at]v2.listbox.com
>Subject: [spf-help] Proxy spf records
>
>
>Extracted from the spf-discuss list....
>
> if the SPF
> > community chose to assemble and publish proxy records for large ISPs
> > that don't publish their own SPF records (e.g. something like
> > "include:cox.net.proxy_records.openspf.org"), I'd be willing to use
> > them if the DNS server setup for the proxy records looked reliable.
>
>This is an option which I would be prepared to set up and
>administer, using input from all
>those who are having such problems. I have a reliable DNS server
>(touch wood) and a remote
>back-up, though I'd be happy if others would do further back-ups,
>or allow me access to do
>it myself.
>
>I will create TXT and SPF records for a subdomain of one of my own
>domains as proxy for
>any domains that do not currently publish.
>
>e.g. For comcast. and assuming I use spfhelp.net, I will add these
>lines to the zonefile
>for spfhelp.net (thanks to ScottK for the IP ranges)
>
>comcast.net.proxy.spfhelp.net. IN TXT "v=spf1 ?ip4:204.127.202.0/24
>?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
>comcast.net.spfhelp.net. IN SPF "v=spf1 ?ip4:204.127.202.0/24
>?ip4:204.127.198.0/24
>?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
>
>Anyone needing to use comcast could therefore add
>include:comcast.net.proxy.spfhelp.net to
>their record.
>
>I will post all such proposed records here and on spf-help for
>comment, amendment, etc.,
>prior to actually doing them. I will also use the least disruptive
>method os zonefile
>editing by adjusting the ttl's as needed.
>
>Comments, criticism, advice, offers of help all welcome ;-)
>
I would strongly recommend that anyone doing the above use ?include: instead
of include:. Even if that list of IP addresses is still correct (I have no
way of knowing) it casts a broader net than just the Comcast mail servers.
There's no way of know who you are giving a Pass to if you just use
include:.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba

johnp at idimo

Aug 10, 2005, 5:35 AM

Post #3 of 5 (817 views)
Permalink

Re: Proxy spf records [In reply to]

Scott Kitterman wrote:
>>-----Original Message-----
>>From: johnp [mailto:johnp[at]idimo.com]
>>Sent: Wednesday, August 10, 2005 7:08 AM
>>To: spf-help[at]v2.listbox.com
>>Subject: [spf-help] Proxy spf records
>>
>>
>>Extracted from the spf-discuss list....
>>
>> if the SPF
>>
>>>community chose to assemble and publish proxy records for large ISPs
>>>that don't publish their own SPF records (e.g. something like
>>>"include:cox.net.proxy_records.openspf.org"), I'd be willing to use
>>>them if the DNS server setup for the proxy records looked reliable.
>>
>>This is an option which I would be prepared to set up and
>>administer, using input from all
>>those who are having such problems. I have a reliable DNS server
>>(touch wood) and a remote
>>back-up, though I'd be happy if others would do further back-ups,
>>or allow me access to do
>>it myself.
>>
>>I will create TXT and SPF records for a subdomain of one of my own
>>domains as proxy for
>>any domains that do not currently publish.
>>
>>e.g. For comcast. and assuming I use spfhelp.net, I will add these
>>lines to the zonefile
>>for spfhelp.net (thanks to ScottK for the IP ranges)
>>
>>comcast.net.proxy.spfhelp.net. IN TXT "v=spf1 ?ip4:204.127.202.0/24
>>?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
>>comcast.net.spfhelp.net. IN SPF "v=spf1 ?ip4:204.127.202.0/24
>>?ip4:204.127.198.0/24
>>?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
>>
>>Anyone needing to use comcast could therefore add
>>include:comcast.net.proxy.spfhelp.net to
>>their record.
>>
>>I will post all such proposed records here and on spf-help for
>>comment, amendment, etc.,
>>prior to actually doing them. I will also use the least disruptive
>>method os zonefile
>>editing by adjusting the ttl's as needed.
>>
>>Comments, criticism, advice, offers of help all welcome ;-)
>>
>
> I would strongly recommend that anyone doing the above use ?include: instead
> of include:. Even if that list of IP addresses is still correct (I have no
> way of knowing) it casts a broader net than just the Comcast mail servers.
> There's no way of know who you are giving a Pass to if you just use
> include:.

Agreed - I'll put that on the documentation.

SLainte,
JohnP

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba

nobody at xyzzy

Aug 10, 2005, 8:21 AM

Post #4 of 5 (803 views)
Permalink

Re: Proxy spf records [In reply to]

johnp wrote:

> Comments, criticism, advice, offers of help all welcome ;-)

It's an idea. I think it should work if the "proxy owner"
(e,g. you for $ISP) really uses his "proxy record" in his
own sender policy, because he's a customer of $ISP.

It's also possible to start a public collection of such
"proxy records". But you're somewhat in trouble if you
try to do it for third parties on the sayso of strangers.

Sooner or later one of the strangers will be clueless or
malicious (or both ;-)
Bye, Frank

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba

johnp at idimo

Aug 10, 2005, 10:55 AM

Post #5 of 5 (795 views)
Permalink

Proxy spf records [In reply to]

Proxy SPF records.

If you are creating a spf record for your domain, and you need to include some ISP which
you use, but which does not publish a record themselves, this is where a proxy record can
be useful.

The information in the proxy record will be made up by people looking at their mail and
identifying the IP's of as many of the sources of mail from that ISP as possible.

The proxy record will exist on spfhelp.net and will allow you to include it instead of the
ISP's non-existant record.

Obviously this is not foolproof, but will depend on people giving feedback to the
proxy-record holder here. It should be included in your record by ?include: so that is
will not cause a fail, and the proxy record itself will look something like this:-
comcast.net.proxy.spfhelp.net. IN TXT "v=spf1 ?ip4:204.127.202.0/24
?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24 ?ip4:63.240.76.0/24 ~all"
thereby giving no hard FAIL results if it is not quite right, but giving a pass where it
matches. The "SPF" RR will also be included as a proxy with the same information.

Now your record can look like this:-
example.com IN TXT "v=spf1 a mx ?include:comcast.net.proxy.spfhelp.net ~all"
and you will not be thwarted by the lack of a record at comcast.net.

The ISP's I have been asked to create proxies for so far are:-
cox.net
comcast.net
rogers.com
vianet.ca
blackberry.net
and I am waiting for information from anyone who gets mail from those sources to let me
have the IP number it originated from.

I hope that explains it better.

Slainte,
JohnP

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com