Mailing List Archive: SPF: Help

SPF records & spf-milter help?

Index | Next | Previous | View Threaded

spf-help at onethumb

Jul 2, 2004, 10:34 AM

Post #1 of 5 (1215 views)
Permalink

SPF records & spf-milter help?

Hi there, I'm publishing SPF records which I think are accurate, but I'm
getting some unexpected results.

Here's my TXT records:

smugmug.com. IN TXT "v=spf1 a mx ptr ip4:63.81.134.0/24
ip4:63.81.33.192/27 ~all"

mail.smugmug.com. IN TXT "v=spf1 a ~all"

orcus.smugmug.com. IN TXT "v=spf1 a ~all"

However, when mail arrives from hostname.smugmug.com (such as
'hera.smugmug.com') that is other than orcus, the 'Received-SPF:' header
reads:

none (orcus.smugmug.com: domain of apache [at] hera does not
designate permitted sender hosts)

Note that hera resolves to an IP listed in the range for the domain, and
has valid DNS records.

We have many machines sending email. Some of them are behind a NAT, but
the NAT IP is still within the range specified in the SPF record.

If I go and explicitly set a TXT SPF record specifically for
hera.smugmug.com, it gets validated properly. But surely that's not the
way it's supposed to work, right? I can't have dozens of entries, and
I'm sure AOL/Hotmail/etc can't have hundreds of entries.

Am I missing an option to recursively apply domain.com to all
hosts.domain.com ?

Thanks for any assistance!

Don

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

spf at metro

Jul 2, 2004, 11:55 AM

Post #2 of 5 (1208 views)
Permalink

Re: SPF records & spf-milter help? [In reply to]

On Fri, Jul 02, 2004 at 10:34:51AM -0700, spf-help [at] onethumb wrote:
> If I go and explicitly set a TXT SPF record specifically for
> hera.smugmug.com, it gets validated properly. But surely that's not the
> way it's supposed to work, right? I can't have dozens of entries, and
> I'm sure AOL/Hotmail/etc can't have hundreds of entries.
>
> Am I missing an option to recursively apply domain.com to all
> hosts.domain.com ?

Afaik, that is the way it's supposed to work. Sorry. I'm sure you can
automate this however..

You can use redirect however to redirect all your spf records to a
single spf record that defines your policy, this way if something
changes you only have to changet the spf record all the others are
redirected to.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

spf at kitterman

Jul 2, 2004, 11:57 AM

Post #3 of 5 (1199 views)
Permalink

RE: SPF records & spf-milter help? [In reply to]

> -----Original Message-----
> From: owner-spf-help [at] v2
> [mailto:owner-spf-help [at] v2]On Behalf Of spf-help [at] onethumb
> Sent: Friday, July 02, 2004 1:35 PM
> To: spf-help [at] v2
> Subject: [spf-help] SPF records & spf-milter help?
>
>
> Hi there, I'm publishing SPF records which I think are accurate, but I'm
> getting some unexpected results.
>
> Here's my TXT records:
>
> smugmug.com. IN TXT "v=spf1 a mx ptr ip4:63.81.134.0/24
> ip4:63.81.33.192/27 ~all"
>
> mail.smugmug.com. IN TXT "v=spf1 a ~all"
>
> orcus.smugmug.com. IN TXT "v=spf1 a ~all"
>
>
> However, when mail arrives from hostname.smugmug.com (such as
> 'hera.smugmug.com') that is other than orcus, the 'Received-SPF:' header
> reads:
>
> none (orcus.smugmug.com: domain of apache [at] hera does not
> designate permitted sender hosts)
>
> Note that hera resolves to an IP listed in the range for the domain, and
> has valid DNS records.
>
> We have many machines sending email. Some of them are behind a NAT, but
> the NAT IP is still within the range specified in the SPF record.
>
> If I go and explicitly set a TXT SPF record specifically for
> hera.smugmug.com, it gets validated properly. But surely that's not the
> way it's supposed to work, right? I can't have dozens of entries, and
> I'm sure AOL/Hotmail/etc can't have hundreds of entries.
>
> Am I missing an option to recursively apply domain.com to all
> hosts.domain.com ?
>
> Thanks for any assistance!
>
> Don
>
The record for smugmug.com gets called for e-mail addresses that are
(username)@smugmug.com (and optionally if smugmug.com gets used as the
HELO/EHLO identifier).

Any valid domain name that you have should have an spf record. If that
sub-domain never sends mail (and is never the HELO/EHLO identifier), the
record should be {subdomain}.smugmug.com. IN TXT "v=spf1 -all". If that
subdomain does send mail, then it needs to be a complete record for where
the mail can come from. If it's just from that box, then it can be
(subdomain).smugmug.com. IN TXT "v=spf1 a ~all" as you have it. If any of
those domains can send from any of the permitted senders for smugmug.com,
you can use (subdomain).smugmug.com. IN TXT "v=spf1 redirect:smugmug.com
~all". That way if your IP list changes, you don't have to go change them
all.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

nobody at xyzzy

Jul 2, 2004, 12:36 PM

Post #4 of 5 (1221 views)
Permalink

Re: SPF records & spf-milter help? [In reply to]

spf [at] kitterman wrote:

> TXT "v=spf1 redirect:smugmug.com ~all".

AFAIK that would _always_ result in SOFTFAIL, because the
redirect=smugmug.com is evaluated after anything else.

You probably wanted to say "v=spf1 include:smugmug.com ~all"
or you wanted to say "v=spf1 redirect=smugmug.com". As
soon as there is an (+ ? ~ -)all a redirect= has no effect,
and it should be always at the end, because it's evaluated
after the normal mechanisms.

Or that's at least how I uderstood the SPF1 draft. For Don
the solution could be to use his existing wildcard record
*.smugmug.com (incl. orcus / foobar / whatever) and add a
IN TXT "v=spf1 redirect=smugmug.com"

My ISP did it this way for *.claranet.de (incl. xyzzy etc.).

Another solution is to copy the sender policy of the domain
to the wildcard record for the vanity hosts. If there are
any real hosts like www.smugmug.com, then they should have
their own TXT (e.g. "v=spf1 -all" if @www.smugmug is never
okay). My ISP didn't do this, therefore you get a sender
policy for all vanity.claranet.de but not www.claranet.de

Bye, Frank

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

spf at kitterman

Jul 2, 2004, 12:44 PM

Post #5 of 5 (1191 views)
Permalink

RE: Re: SPF records & spf-milter help? [In reply to]

> -----Original Message-----
> From: owner-spf-help [at] v2
> [mailto:owner-spf-help [at] v2]On Behalf Of Frank Ellermann
> Sent: Friday, July 02, 2004 3:36 PM
> To: spf-help [at] v2
> Subject: [spf-help] Re: SPF records & spf-milter help?
>
>
> spf [at] kitterman wrote:
>
> > TXT "v=spf1 redirect:smugmug.com ~all".
>
> AFAIK that would _always_ result in SOFTFAIL, because the
> redirect=smugmug.com is evaluated after anything else.
>
> You probably wanted to say "v=spf1 include:smugmug.com ~all"
> or you wanted to say "v=spf1 redirect=smugmug.com". As
> soon as there is an (+ ? ~ -)all a redirect= has no effect,
> and it should be always at the end, because it's evaluated
> after the normal mechanisms.
>
> Or that's at least how I uderstood the SPF1 draft. For Don
> the solution could be to use his existing wildcard record
> *.smugmug.com (incl. orcus / foobar / whatever) and add a
> IN TXT "v=spf1 redirect=smugmug.com"
>
Yes, of course, you are correct.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads