do you use SPF TXT RRs? (RFC4408)
Douglas Otis
dotis at mail-abuse.org
Tue Oct 5 14:43:23 UTC 2010
On 10/4/10 6:55 PM, Kevin Stange wrote:
> The most common situation where another host sends on your domain's
> behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs
> will only trust that the final MTA handling the message is a source
> host. In the case of a mailing list, that's NANOG's server. All
> previous headers are untrustworthy and could easily be forged. I'd bet
> few, if any, people have NANOG's servers listed in their SPF, and
> delivering a -all result in your SPF could easily cause blocked mail for
> anyone that drops hard failing messages.
Kevin,
nanog.org nor mail-abuse.org publish spf or txt records containing spf
content. If your MTA expects a message's MailFrom or EHLO be confirmed
using spf, then you will not receive this message, refuting "a lot of
MTAs ...".
This also confuses SPF with Sender-ID. SPF confirms the EHLO and
MailFrom, whereas Sender-ID confirms the PRA. However, the PRA
selection is flawed since it permits forged headers most consider to be
the originator. To prevent Sender-ID from misleading recipients or
failing lists such as nanog.org, replicate SPF version 2 records at the
same node declaring mfrom. This is required but doubles the DNS
payload. :^( Many consider -all to be an ideal, but this reduces
delivery integrity. MailFrom local-part tagging or message id
techniques can instead reject spoofed bounces without a reduction in
delivery integrity.
-Doug
More information about the NANOG
mailing list