[130531] in North American Network Operators' Group
Re: do you use SPF TXT RRs? (RFC4408)
daemon@ATHENA.MIT.EDU (Douglas Otis)
Tue Oct 5 10:43:46 2010
Date: Tue, 05 Oct 2010 10:43:23 -0400
From: Douglas Otis <dotis@mail-abuse.org>
To: nanog@nanog.org
In-Reply-To: <4CAA5B60.8000001@steadfast.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 10/4/10 6:55 PM, Kevin Stange wrote:
> The most common situation where another host sends on your domain's
> behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs
> will only trust that the final MTA handling the message is a source
> host. In the case of a mailing list, that's NANOG's server. All
> previous headers are untrustworthy and could easily be forged. I'd bet
> few, if any, people have NANOG's servers listed in their SPF, and
> delivering a -all result in your SPF could easily cause blocked mail for
> anyone that drops hard failing messages.
Kevin,
nanog.org nor mail-abuse.org publish spf or txt records containing spf
content. If your MTA expects a message's MailFrom or EHLO be confirmed
using spf, then you will not receive this message, refuting "a lot of
MTAs ...".
This also confuses SPF with Sender-ID. SPF confirms the EHLO and
MailFrom, whereas Sender-ID confirms the PRA. However, the PRA
selection is flawed since it permits forged headers most consider to be
the originator. To prevent Sender-ID from misleading recipients or
failing lists such as nanog.org, replicate SPF version 2 records at the
same node declaring mfrom. This is required but doubles the DNS
payload. :^( Many consider -all to be an ideal, but this reduces
delivery integrity. MailFrom local-part tagging or message id
techniques can instead reject spoofed bounces without a reduction in
delivery integrity.
-Doug
