Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

SPF and Email Profiles

Quote Reply
SPF and Email Profiles
Hi

Is the Email Profiles feature going to have limited applicability when veiwed in conjunction with SPF?

Thanks
HyTC

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================
Quote Reply
Re: [HyperTherm] SPF and Email Profiles In reply to
Hi,

No, not at all. The domain owner determines what servers they want mail to originate from. If the domain owner doesn't want people to be able to use webmail, they'll adjust their spf record appropriately. If they do, they can also setup the spf record to allow this.

For instance, aol.com:

aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"

The ?all means that 'SPF queries that do not match any other mechanism will return "neutral". Messages that are not sent from an approved server should still be accepted as if the SPF record did not exist.'

But for gossamer-threads.com:

gossamer-threads.com text "v=spf1 a mx ip4:64.69.64.0/24 ip4:64.180.111.209 ip4:64.180.111.210 ip4:64.180.111.212 -all"

The -all means that if you were using @gossamer-threads.com in your profile on a different IP, then you would get rejected/marked as spam by an spf enabled server.

But it's up to the domain owner to set the policy for how the domain should be used.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] SPF and Email Profiles In reply to
Hi Alex.

It's more with respect to following type of scenario:

Gossamer mail on domain.tld which has a SPF record (-all ) published
GMail User sets up a profile with email address like user@yahoo.com
Now this would get marked?

Thanks
HyTC

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================
Quote Reply
Re: [HyperTherm] SPF and Email Profiles In reply to
Hi,

Yahoo doesn't have an spf record, so no, it would have no affect.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] SPF and Email Profiles In reply to
OK let me put it this way:

(1) GMail user sets up a profile as alex at gossamer-threads.com

(2) GMail user sets up a profile with domain.tld on the same server as Gossamer Mail and not a Gmail domain (in fact some other non gmail domain not belonging to user but on the same server and with a SPF record published).

With the above two cases, what i am trying to highlight is that the process of profile creation should have a validation built-in before the profile can be used by the gmail user. Till it's validated, it should be *Non Useable* A Validation mail goes to the profile email address and unless verified that email address is unavailable for use. So that at least alex at gossamer-threads.com does not receive bounce messages for mails not sent by Alex.

Currently i do not allow yahoo/hotmail/aol etc as being used in email profiles. It's a good feature when a user has multiple POP accounts on domains owned by Gmail user but not when it can be abused by setting up email addresses as above.

Thanks
HyTC

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================
Quote Reply
Re: [HyperTherm] SPF and Email Profiles In reply to
Hi,

Ok, this isn't really related to SPF.

What you are asking is just to be able to validate the profile so a user can't enter in a bogus email address. We'll look at this in some more detail and see what's involved in adding it in.

SPF could help though, as if the mail server running Gossamer Mail was SPF enabled, it would reject emails sent via Gossamer Mail from users with bad profiles though. i.e. setup a profile of devnull@gossamer-threads.com and if your mail server is configured properly, when Gossamer Mail tries to send a message with an envelope header @gossamer-threads.com, your mail server should reject it.

Our experience has been SPF is not widely deployed. Many people publish SPF records, but few people actually check them.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] SPF and Email Profiles In reply to
Hi.

Another possibility of misuse /abuse of this feature in it's present form:

cosnider that one user (gossamer mail domain1) knows that there are five domains on which the service is running. he/she also knows the email address of few other gossamer mail domain users. He/she creates a profile with email address of other user on same or other Gossamer mail domain and the abuse kicks off...

with spf record published, everything would look so genuine at the recepient's end but could land the admin's mail server into problems. Now that gossamer mail 3.0 is also in planning, this needs to be ironed out. There are other issues as well but more on this when GT formally calls for feature requests for the same. (Gossamer mail 3)

Thanks

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================