alex at ergens
Jul 14, 2007, 3:42 AM
Post #6 of 8
(1308 views)
Permalink
|
|
Re: openspf tester cannot complete SPF analysis
[In reply to]
|
|
On Fri, Jul 13, 2007 at 09:03:29PM -0700, Ben Collver wrote:
> When I used the SPF Setup Wizard at openspf.org, it instructed me to
> post a single SPF record for the whiteselectronics.com DNS zone. In my
> original post, I asked for help trouble shooting why my SPF record
> failed analysis at the openspf tester.
> http://old.openspf.org/why.html?sender=newsletter%40whiteselectronics.com&ip=65.173.224.20&formwasused=1&debug=0
The so called wizard isn't that smart at all. It just takes what
you have, and inserts in the existing policy what seems to be needed.
Something similar is true for generating your first policy. If you
enter non-existing names, or even faulty names, it will just copy
the user input. Not really the wizard's fault.
"User knows best", aka "Garbage in, garbage out". It is a tool,
and usability of tools depend on their use/user. No offence.
The tester is more sophisticated and will find errors. It will not
find all possible errors, especially if the syntax is correct but
semantics are not. Nevertheless, you should use it _before_ publishing
a new or modified policy.
Your current SPF policy for your MAIL FROM domain, published in a TXT
record for domain whiteselectronics.com, is:
"v=spf1 ip4:65.173.224.6 ip4:65.173.224.20 ~all"
This authorizes two hosts to use domain name whiteselectronics.com
but you may want to look at http://www.openspf.org/SPF_Record_Syntax
and scroll down a bit to "Evaluation of the SPF record can "...
where softfail ("~", in your "~all") and fail ("-") are explained.
The domain used in a HELO (or: EHLO) does not have to be, and
quite often isn't, the same domain. Publish a policy for this as
well. If everything is setup per RFC, then "v=spf1 a -all" will
probably work. [*]
And then there are other domains, such as www.whiteselectronics.com
which also need a policy. Yes, it is a domain name. True, you may
not use this domain for email but somebody else could. If you don't
use it for email, and nobody should, then publish "v=spf1 -all" for it.
Look at all domains which are not aliases (CNAME). Every domain that
has an A record and/or an MX record can potentially be used for email.
In each policy, authorize all legitimate users (HELO or MAIL FROM) of
this domain.
Some people think a domain can only be used if an MX record is present
for the domain. This is a mistake. MX is for inbound only, and is only
needed if mail should end up in another place than the host with this
domain name.
HTH
Alex
[*] If one host uses a domain name for HELO and possibly for MAIL FROM,
and another host uses the same domain name for MAIL FROM, the suggested
policy is not what you want.
e.g.
mail1.example.com sends "x [at] example" and "x [at] mail1" mail
mail2.example.com sends "x [at] mail1" mail
and both hosts use their own name in HELO (as they should).
In this example:
example.com TXT "v=spf1 a:mail1.example.com -all"
mail1.example.com TXT "v=spf1 a a:mail2.example.com -all"
mail2.example.com TXT "v=spf1 a -all"
Why?
example.com is only used in MAIL FROM, by host mail1.
mail1.example.com is used:
- in HELO, by mail1
- in MAIL FROM, by mail1 and mail2
and both hosts need to be listed.
mail2.example.com is only used in HELO.
In short: be careful if you use email domain names which also happen
to be hostnames.
-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=22108278-387302
Powered by Listbox: http://www.listbox.com
|
