Re: [Asrg] What are the IPs that sends mail for a domain?

Ian Eiloart <> Tue, 30 June 2009 09:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D39F3A6CE4 for <>; Tue, 30 Jun 2009 02:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sxPLidjenJbP for <>; Tue, 30 Jun 2009 02:55:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 166603A6AF6 for <>; Tue, 30 Jun 2009 02:55:43 -0700 (PDT)
Received: from ([]:52533) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <>) id KM1Q90-000E60-69 for; Tue, 30 Jun 2009 10:55:48 +0100
Date: Tue, 30 Jun 2009 10:55:04 +0100
From: Ian Eiloart <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Originator-Info: login-token=Mulberry:01vvpVTydbw7T/Z6mxKiAxb8jCJHJ2qSEgM2U=;
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Jun 2009 09:55:45 -0000

--On 29 June 2009 13:36:00 -0400 Bill Cole <> 

>> There is, actually. If you publish SPF records with a strong -all, then
>> recipients can easily decide to reject (not bounce) messages. Add DKIM
>> signatures, and they'll be able to tell when someone has forwarded your
>> legitimate email.
> Do you have any evidence that this actually works to any detectable
> degree?
> I have solid proof that it is far from perfect, but I only have a handful
> of addresses that ever had significant bogus bounce flow in the one
> domain I could safely use in a SPF '-all' effectiveness test. The first 5
> years of that test have shown a slow drop in the rate of bad bounces in
> general offered to that domain, but it isn't much more proportionally
> than the drop from a dribble to a trickle that I've seen for a domain
> with no SPF record. The noise in my minuscule and weakly controlled data
> makes it quantitatively worthless, but on a qualitative basis it makes
> clear that strong SPF records are not yet a strong universal tool for
> preventing blowback bounces.
> If you are aware of SPF being any more useful than prayer at controlling
> blowback, please share it.

Well, my claim is a theoretical one, and perhaps a hope for the future. It 
probably isn't yet effective. I do believe that it will be one day.

However, I do believe that people should take SPF records into account when 
deciding whether to generate bounce messages. It should not be a problem if 
there's a positive SPF or DKIM match. You shouldn't do it if there's an SPF 
fail. It's harder to decide what to do in the absence of SPF, or a neutral 
or softfail result.

I'd suggest that to drive up adoption of SPF, don't bounce for a neutral or 
softfail result (instead give a 5xx error), but (this will be 
controversial) feel free to bounce into domains that aren't trying to help 
- ie domains that don't publish SPF records at all. (ducks).

Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see