[130499] in North American Network Operators' Group
Re: do you use SPF TXT RRs? (RFC4408)
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Oct 4 16:34:08 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4CAA0C00.6020106@mtcc.com>
Date: Mon, 4 Oct 2010 13:30:55 -0700
To: Michael Thomas <mike@mtcc.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>,
Greg Whynott <Greg.Whynott@oicr.on.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 4, 2010, at 10:16 AM, Michael Thomas wrote:
> On 10/04/2010 10:05 AM, John Adams wrote:
>> We've seen percentage gains when signing with DK, and we carefully
>> monitor our mail acceptance percentages with ReturnPath. It's around
>> 4-6%. I'd like to stop using it, but some people still check DK.
>=20
> Sigh. I was hoping not to hear that. It's been about 5 years since
> the issue of rfc4871. It might be helpful to name and shame.
>=20
> Mike
>=20
At least in that case, the spammer has to have control of the sending =
domain.
SPF is not intended to protect from that case. It is intended to protect =
from the
case where spammers Joe-job domains they can't control.
Removing a few points probably isn't a bad idea so long as you have a =
list of
domains for which points should be added.
Owen
>>=20
>> -j
>>=20
>>=20
>> On Mon, Oct 4, 2010 at 10:02 AM, Michael Thomas<mike@mtcc.com> =
wrote:
>>> On 10/04/2010 09:54 AM, John Adams wrote:
>>>>=20
>>>> Without proper SPF records your mail stands little chance of making =
it
>>>> through some of the larger providers, like gmail, if you are =
sending
>>>> in any high volume. You should be using SPF, DK, and DKIM signing.
>>>=20
>>> There should really be no reason to sign with DK too. It's historic.
>>>=20
>>>> I don't really understand how your security company related SPF to =
DoS
>>>> though. They're unrelated, with the exception of backscatter.
>>>=20
>>> Me either.
>>>=20
>>> Mike
>>>=20
>>>>=20
>>>> -j
>>>>=20
>>>>=20
>>>> On Mon, Oct 4, 2010 at 9:47 AM, Greg =
Whynott<Greg.Whynott@oicr.on.ca>
>>>> wrote:
>>>>>=20
>>>>> A partner had a security audit done on their site. The report =
said they
>>>>> were at risk of a DoS due to the fact they didn't have a SPF =
record.
>>>>>=20
>>>>> I commented to his team that the SPF idea has yet to see anything =
near
>>>>> mass deployment and of the millions of emails leaving our =
environment
>>>>> yearly, I doubt any of them have ever been dropped due to us not =
having an
>>>>> SPF record in our DNS. When a client's email doesn't arrive =
somewhere, we
>>>>> will hear about it quickly, and its investigated/reported upon. =
I'm
>>>>> not opposed to putting one in our DNS, and probably will now - =
for
>>>>> completeness/best practice sake..
>>>>>=20
>>>>>=20
>>>>> how many of you are using SPF records? Do you have an opinion on =
their
>>>>> use/non use of?
>>>>>=20
>>>>> take care,
>>>>> greg
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>=20
>>>=20
>=20
