eslbase at eslbase
Jan 9, 2007, 5:00 AM
Post #11 of 40
(6467 views)
Permalink
|
Thanks Alex.
Well, my provider has, magically, now discovered that they can remove the
dot after all, and they have done so. My next task is to get them to remove
"mx" and change the tilde fora dash!
Thanks for all the help
Keith
----- Original Message -----
From: "Alex van den Bogaerdt" <alex[at]ergens.op.het.net>
To: <spf-help[at]v2.listbox.com>
Sent: Tuesday, January 09, 2007 11:53 AM
Subject: Re: [spf-help] SPF syntax correct?
> On Tue, Jan 09, 2007 at 11:29:46AM +0100, eslbase wrote:
>
>> Are you saying that "mx" should go at the end, so that it's like this:
>>
>> "v=spf1 ip4:66.232.130.50 ip4:66.232.135.20 ip4:66.232.129.245
>> ip4:66.232.129.12 ip4:66.232.129.247 ip4:66.232.129.248
>> ip4:66.232.129.249
>> ip4:66.232.129.250 mx ~all."
>
> No. Basically what I'm saying is that (in your case) mx is equivalent
> to ip4:66.232.130.50 and should be left out.
>
> You are asking us to do this for every incoming connection:
>
> a: "mx":
> a1) DNS lookup the MX record for your domain
> a2) Parse the answer, subtract the host part from it
> a3) DNS lookup the A record for the hostname from (2)
> a4) Compare against the resulting IP address: 66.232.130.50
> continue if no match was found
>
> b: "ip4:66.232.130.50"
> b1) Compare against the specified IP address: 66.232.130.50
> continue if no match was found
>
> See how step a4 and b1 do the same thing? If one matches, so would
> the other, if one does not match, neither will the other. So, why do
> step "a" at all ? Step b is much faster *and* cheaper.
>
> I also made a remark how "ip4" should go up front, in general, to
> avoid unnecessary lookups. In my example, this would mean doing
> 'series' b first, then series a. This saves a couple of DNS lookups
> in case the "ip4" mechanism matches.
>
>
> If you want to keep "mx" (for whatever reason) at least move it to the
> back. Please be aware that everything in front of it would not match
> in case of a forgery, and thus everyone receiving such a forgery would
> be required to lookup your MX host. In other words, you would ask those
> nice people that avoid generating bounces for you, to do additional (and
> more important: useless!) processing.
>
>> Also, If I change the end of my record to look like this:
>>
>> ..."232.129.249 ip4:66.232.129.250 ~all iArna.com=faulty." using the
>> workaround you suggested, will it be valid and therefore solve the
>> problem
>> of the dot at the end?
>
> I believe this to be a valid (albeit ugly) record, yes. Scott's SPF
> validator agrees with me; see http://www.kitterman.com/spf/validate.html
> and use the 2nd form ("Is this SPF record valid - syntactically correct?")
>
>
>> And finally, do you recommend using "<dash>-all" instead
>> of."<tilde>~all"
>> to stop the spoofing?
>
> Yes, I do. Of course you'd write -all vs. ~all, but on most screens
> the difference is hardly noticeable hence me using "<dash>" and "<tilde>".
>
> I'm sure not everybody will agree with me on directly using <dash>-all.
>
> Let me put it this way:
> if you use a tilde now, make *very* sure you publish a new record (using
> dash) in a couple of days or weeks (depending on the amount of mail you
> send). My opinion is that this testing period (because that's what tilde
> is for!) is of little use, if at all.
>
> Alex
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/ or
> http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?&
>
-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
|
1
