Mailing List Archive: SPF: Help

Some confusion

Index | Next | Previous | View Threaded

support at phoenix-com

Mar 22, 2008, 9:48 AM

Post #1 of 4 (771 views)
Permalink

Some confusion

Hi All:

I am trying to understand all the little ins and outs about SPF.
I have created an SPF record with some on line tools and have even posted it
on our domain, but now I want to start implementing in through our Server.
I am a bit confused about some things regarding SPF so please bear with me.

I get a lot of garbage mail that is using addresses on our mail
server as the “Mail From” address. I know that we have not sent these
messages and I believe that SPF will help to reduce the amount of stuff
coming to us that says it was sent by us.. So my question is if I enable SPF
checking will it validate whether the mail came from us and reject and how
does this impact mail sent to me by others who don’t publish an SPF record?
Would it be better during the switch to us a either or situation ..
Pass/Fail; or would a Soft Fail be the best solution?

Any advice would be greatly appreciated on this topic. Thanks
in advance.

Technical Support Group

Phoenix Communications Corporation

PH: (801) 438-4000

FX: (801) 438-4004

TF: (877) 313-6146

"Bringing your business into the 21st Century"

Our company accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided,
unless that information is subsequently confirmed in writing. Any views or
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. WARNING: Computer viruses can be
transmitted via email. The recipient should check this email and any
attachments for the presence of viruses. The company accepts no liability
for any damage caused by any virus transmitted by this email.

Phoenix Communications Corporation, 5526 W. 13400 S, #226, Herriman, UT.
84096-6919; www.phoenix-com.net

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.8/1338 - Release Date: 3/21/2008
5:52 PM

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Mar 22, 2008, 11:57 AM

Post #2 of 4 (719 views)
Permalink

Re: Some confusion [In reply to]

2008/3/22 Technical Support <support [at] phoenix-com>:
> Hi All:
>
> I am trying to understand all the little ins and outs about SPF.
> I have created an SPF record with some on line tools and have even posted it
> on our domain, but now I want to start implementing in through our Server.
> I am a bit confused about some things regarding SPF so please bear with me.
>
> I get a lot of garbage mail that is using addresses on our mail
> server as the "Mail From" address. I know that we have not sent these
> messages and I believe that SPF will help to reduce the amount of stuff
> coming to us that says it was sent by us.. So my question is if I enable SPF
> checking will it validate whether the mail came from us and reject and how
> does this impact mail sent to me by others who don't publish an SPF record?

If you check SPF records then you will handle mail from domains
according to their SPF record. This means that if people publish a
record with "-all" and the mail doesn't originate from a server listed
in the SPF record it will be rejected.

If you want others to be able to reject mail forged to use your domain
you have to publish an SPF record (see the FAQ).

> Would it be better during the switch to us a either or situation ..
> Pass/Fail; or would a Soft Fail be the best solution?

Initially, while testing, use "~all", then when you're happy it is
correct switch to "-all".

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

support at phoenix-com

Mar 22, 2008, 1:49 PM

Post #3 of 4 (700 views)
Permalink

RE: Some confusion [In reply to]

Thanks for the info. I think I have it fixed and have started testing in per your recommendations. I will check it and see how it works.

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
Sent: Saturday, March 22, 2008 12:58 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Some confusion

2008/3/22 Technical Support <support [at] phoenix-com>:
> Hi All:
>
> I am trying to understand all the little ins and outs about SPF.
> I have created an SPF record with some on line tools and have even posted it
> on our domain, but now I want to start implementing in through our Server.
> I am a bit confused about some things regarding SPF so please bear with me.
>
> I get a lot of garbage mail that is using addresses on our mail
> server as the "Mail From" address. I know that we have not sent these
> messages and I believe that SPF will help to reduce the amount of stuff
> coming to us that says it was sent by us.. So my question is if I enable SPF
> checking will it validate whether the mail came from us and reject and how
> does this impact mail sent to me by others who don't publish an SPF record?

If you check SPF records then you will handle mail from domains
according to their SPF record. This means that if people publish a
record with "-all" and the mail doesn't originate from a server listed
in the SPF record it will be rejected.

If you want others to be able to reject mail forged to use your domain
you have to publish an SPF record (see the FAQ).

> Would it be better during the switch to us a either or situation ..
> Pass/Fail; or would a Soft Fail be the best solution?

Initially, while testing, use "~all", then when you're happy it is
correct switch to "-all".

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.8/1338 - Release Date: 3/21/2008 5:52 PM

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.8/1338 - Release Date: 3/21/2008 5:52 PM

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

alex at ergens

Mar 23, 2008, 6:35 AM

Post #4 of 4 (706 views)
Permalink

Re: Some confusion [In reply to]

On Sat, Mar 22, 2008 at 10:48:26AM -0600, Technical Support wrote:

> I get a lot of garbage mail that is using addresses on our mail
> server as the â€œMail Fromâ€ address. I know that we have not sent these
> messages and I believe that SPF will help to reduce the amount of stuff
> coming to us that says it was sent by us.. So my question is if I enable SPF
> checking will it validate whether the mail came from us and reject and how
> does this impact mail sent to me by others who donâ€™t publish an SPF record?
> Would it be better during the switch to us a either or situation ..
> Pass/Fail; or would a Soft Fail be the best solution?

You don't need SPF for such tests on your own server. You know the
rules, you don't need to communicate them elsewhere (which is what
SPF is about!) If you know ${server_in_china} should not be sending
mail using your name, you do not need SPF to communicate this to yourself.

When transfering a message between two SMTP servers, two distinct roles
exist. You need to separate the two roles. There's a sender and a receiver.

${sender} claims to talk on behalf of ${user}@${domain}
${receiver} uses SPF to fetch the policy at ${domain}
${receiver} judges wether he should accept the message (or similar)

In your scenario, you would be both ${receiver} and ${domain}, so yuo
would be fetching your own policy. This is certainly possible although
perhaps a bit wasting resources.

OTOH you don't need to make an exception for domains you own, which
can be a good thing outweighing the extra use of resources.

As with any email: if ${domain} doesn't publish a policy, or if
${receiver} doesn't use it, SPF won't work (by design). That's why
everybody should implement both sides of SPF, do not just publish
a policy, also enable inbound verification on your servers.

HTH
Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads