dmd at speakeasy
Jul 27, 2004, 7:59 AM
Post #2 of 4
(1150 views)
Permalink
|
That can't be quite right.
My domains work in dnsstuff.com and have quotes around the domain.
sample string, using BIND 8.4.4 on my end for DNS.
pique.net. IN TXT "v=spf1 a mx ptr ip4:216.254.34.250 -all"
queried in dnsstuff returns:
pique.net. TXT IN 3600000 "v=spf1 a mx ptr ip4:216.254.34.250
-all"
And using the other test
SPF lookup of sender droid [at] pique from IP 216.254.34.250:
SPF string used: v=spf1 a mx ptr ip4:216.254.34.250 -all.
Processing SPF string: v=spf1 a mx ptr ip4:216.254.34.250 -all.
Testing 'a' on IP=216.254.34.250, target domain pique.net, CIDR 32,
default=PASS. MATCH!
Testing 'mx' on IP=216.254.34.250, target domain pique.net, CIDR 32,
default=PASS. Testing 'ptr' on IP=216.254.34.250, target domain pique.net, CIDR
32, default=PASS. Testing 'ip4:216.254.34.250' on IP=216.254.34.250, target
domain 216.254.34.250, CIDR 32, default=PASS. Testing 'all' on
IP=216.254.34.250, target domain pique.net, CIDR 32, default=FAIL.
Result: PASS
What I think might be occurring in your case is your A and PTR don't match
for your IP:
$ host 64.139.78.162
162.78.139.64.IN-ADDR.ARPA domain name pointer
64-139-78-162-ubr01a-shrpsr01-tn.hfc.comcastbusiness.net
But while
$ host mail.v-sources.com
mail.v-sources.com has address 64.139.78.162
The folks at comcast have kept the PTR record for themselves, it would seem.
That I think is what the report you're getting is saying.. the way the internet
was supposed to work (tm) was that mail servers would have forward and reverse
DNS that matches. A lot of mail agents will kindly overlook this and
deliver mail anyway -- but thats another whole issue. Something SPF is
in a roundabout way seeking to fix, is that we got way too loose with what
we allowed to be delivered in the way of a message. The assumption pre-spammers
was "every best faith effort will be made to deliver the mail" and that has led
to some allowing of weirdly wrong configurations for DNS over the years.
+-------------------------
+ Dave Dennis
+ Seattle, WA
+ dmd [at] speakeasy
+ http://www.dmdennis.com
+-------------------------
On Tue, 27 Jul 2004, Fred Dickey wrote:
> Ok, I've been reading this forum for awhile and after realizing that
> dnsstuff.com has an SPF test (man I missed that one) in addition to the one
> on the official SPF web site, I did the test and it failed me yesterday even
> though the other test on the SPF site passed me. I had read something about
> the SPF wizard leaving quotes around the TXT string being a bad thing, so I
> removed the quotes encapsulating my SPF TXT record and tested on DNS stuff
> today. Overall, it passed. But there is one failure in the series of tests
> it appeared to do that I have a question about:
> -----------------------------------------------------
> SPF lookup of sender fdickey [at] v-sources from IP 64.139.78.162:
>
>
> SPF string used: v=spf1 ip4:64.139.78.162 mx a:mail.v-sources.com
> mx:mail.v-sources.com -all.
> Processing SPF string: v=spf1 ip4:64.139.78.162 mx a:mail.v-sources.com
> mx:mail.v-sources.com -all.
> Testing 'ip4:64.139.78.162' on IP=64.139.78.162, target domain
> 64.139.78.162, CIDR 32, default=PASS. MATCH!
> Testing 'mx' on IP=64.139.78.162, target domain v-sources.com, CIDR 32,
> default=PASS. Testing 'a:mail.v-sources.com' on IP=64.139.78.162, target
> domain mail.v-sources.com, CIDR 32, default=PASS. Testing
> 'mx:mail.v-sources.com' on IP=64.139.78.162, target domain
> mail.v-sources.com, CIDR 32, default=PASS. Testing 'all' on
> IP=64.139.78.162, target domain v-sources.com, CIDR 32, default=FAIL.
> <<<---this is the one ????
> Result: PASS
>
>
> Known Issues:
> None.
> -------------------------------------
>
> In this test, everything appears to pass except for the last test "Testing
> 'all'". I am assuming that this is because I have the -all at the end of my
> TXT record indicating that no other servers are allowed to send email that
> is not specified directly in the TXT record. In that case, that's exactly
> what I would want to fail. Is this a correct assumption or do I still need
> to resolve an issue with my SPF record?
>
> My SPF record appears as follows:
>
> "v=spf1 ip4:64.139.78.162 mx a:mail.v-sources.com mx:mail.v-sources.com
> -all"
>
> It's strange that DNSstuff failed me yesterday when the registration site
> for SPF passed me a few weeks ago. LOL.
>
> BTW, I'm aware that my reverse DNS resolves back to the hostname assigned by
> my ISP. In the future, will this matter? Will the reverse DNS hostname be
> scrutinized to resolve back to the same domain as the forward DNS record? I
> wouldn't think so, since the reverse hostname record for my ISP will
> eventually lead back to me through their records if someone really wanted to
> find out who was sending what, but I could be wrong. Would it be best
> practice to update the reverse record or does it matter?
>
> Thanks in advance for anyone's input.
>
> Fred Dickey, IT Support Specialist
> Virtual Resources, Inc.
> Web: www.v-sources.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help [at] v2
>
-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2
|
