Re: [spfbis] Clarity on location of SPF records
Danie de Jager <danie.dejager@za.striata.com> Tue, 16 September 2014 19:35 UTC
Return-Path: <danie.dejager@striata.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4D31A701A for <spfbis@ietfa.amsl.com>; Tue, 16 Sep 2014 12:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEVXl-05zvR7 for <spfbis@ietfa.amsl.com>; Tue, 16 Sep 2014 12:35:21 -0700 (PDT)
Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727081A6FEF for <spfbis@ietf.org>; Tue, 16 Sep 2014 12:35:21 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id im17so370045vcb.10 for <spfbis@ietf.org>; Tue, 16 Sep 2014 12:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=za.striata.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=Is279H3KcjjZrFYw4q+NSSA++2b1+2zxBFMMOJzYSqk=; b=IeGDnIl8ljtjgcovn4VUBeOr5o8H1qFmmY9rpfssBkTBKAP6tKY3Ey4mQ6o+BrZmSH 9RPdGcIV0Zz1qMNtV01lwPI6sCJyG35rUdcI0NRczgxU2oonfeNd9HP/8z4GHlo4CHQS +loXvkTXFj/U5/IbLLtIT1O98fR5WWVO4QFK0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=Is279H3KcjjZrFYw4q+NSSA++2b1+2zxBFMMOJzYSqk=; b=WD8aDFBjvl5kAy6Mo1/yGgXn9DcNYgq7PyhDJwMtR8eRYYSRXSChzRa5uVB2ilZ907 6u9CuZRnDhPn41gJtd8Teuo8Q8KXZdfkMi/p8VL1YNOURbfJSVbdguggmp9pehWPC7DQ GwjxU21r6+Y+AvHOwSerzSHwO+QJSBS4O+9GgV+U9NAV/NO6fO3F3vQh8Bc9ta9qQPyy JcgILyge8bw6W0ONnwXrfmYG0G/Kz/buJ3xEnKcaHuHPyLYf7GL8LHDkGk2qRt/xVPNs QRr4TjrkP0sUQKMF++Fv/u/ykD7qjna08Oba3uY7S16UeVYpvp8oXmv6bGM+xKIVJS3H 4kzw==
X-Gm-Message-State: ALoCoQnkcevL5e/A9Q044Hz7DdeY/SBExaRZuln+uHEvpejSt+J/nL2TmsPUILgL9i36D6sd0z8j
X-Received: by 10.220.50.80 with SMTP id y16mr18105214vcf.50.1410896120375; Tue, 16 Sep 2014 12:35:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.158.198 with HTTP; Tue, 16 Sep 2014 12:35:00 -0700 (PDT)
In-Reply-To: <CAC6Wms5U7GaSyULibDJTjm45VM-4vUJk=7x2cv0McrF4_3U48g@mail.gmail.com>
References: <CAC6Wms59cN0+v87dL69o10uZ7B5TnmbiX6WZf7J9C+vE11PgDw@mail.gmail.com> <CAC6Wms5U7GaSyULibDJTjm45VM-4vUJk=7x2cv0McrF4_3U48g@mail.gmail.com>
From: Danie de Jager <danie.dejager@za.striata.com>
Date: Tue, 16 Sep 2014 21:35:00 +0200
Message-ID: <CAC6Wms47oMPJc1w5qaiAr=PKYwMRS3qjbb5sHXSAOaic-sOaiw@mail.gmail.com>
To: spfbis@ietf.org
Content-Type: multipart/alternative; boundary="047d7b34331e1209d2050333da0f"
Archived-At: http://mailarchive.ietf.org/arch/msg/spfbis/AQu7c3IuGFuNS_gu_RUhChNy2f4
Subject: Re: [spfbis] Clarity on location of SPF records
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 19:35:23 -0000
I was reading an article on the forum called "too many includes". My investigation was triggered by a client who has too many includes which to me seems that they are adding their SPF records in the wrong place. (The investigation turned into a debate with no concrete answers and I took it on myself to revert back to the source.) http://www.ietf.org/mail-archive/web/spfbis/current/msg04233.html >From there Scott Kitterman states: "Super huge providers like Hotmail are able to (mostly) able publish compliant records. If they can do it, I have a hard time believing it's a problem that needs more than education to solve." Maybe this is one of the reasons SPF records get too many includes, they're all combined and added to the wrong DNS entry on the top level. I'm sure in most configurations having a SPF record in your top domain ( example.com) will be fine but as soon as multiple ESPs (esp1.example.com and esp2.eample.com) are involved for that said domain confusion can creep in. *Danie de Jager* *Striata Operational Support - Team Leader* *Office:* +27 11 5309600 *Striata on:* Twitter <https://twitter.com/striata> | LinkedIn <http://www.linkedin.com/company/striata> | Facebook <https://www.facebook.com/striata.innovation> | www.striata.com On 16 September 2014 20:59, Danie de Jager <danie.dejager@za.striata.com> wrote: > I believe what confused me is that I'm still thinking of the previous > RFC4408. > > 3.1 <http://tools.ietf.org/html/rfc4408#section-3.1>. Publishing > > Domain owners wishing to be SPF compliant must publish SPF records > for the hosts that are used in the "MAIL FROM" and "HELO" identities. > The SPF records are placed in the DNS tree at the host name it > pertains to, not a subdomain under it, such as is done with SRV > records. This is the same whether the TXT or SPF RR type (see > Section 3.1.1 <http://tools.ietf.org/html/rfc4408#section-3.1.1>) is used. > > The example above in Section 3 <http://tools.ietf.org/html/rfc4408#section-3> might be published via these lines in > a domain zone file: > > example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all" > smtp-out.example.com. TXT "v=spf1 a -all" > > > *Danie de Jager* > *Striata Operational Support - Team Leader* *Office:* +27 11 5309600 *Striata > on:* Twitter <https://twitter.com/striata> | LinkedIn > <http://www.linkedin.com/company/striata> | Facebook > <https://www.facebook.com/striata.innovation> | www.striata.com > > > On 16 September 2014 13:27, Danie de Jager <danie.dejager@za.striata.com> > wrote: > >> Hi, >> >> I need >> clarity >> with the >> possible >> location of the SPF record. >> >> As example. If I have a domain abc.123.example.com with a MX record of >> mail1.abc.123.example.com and mail2.abc.123.example.com there must be a >> SPF record for: >> mail1.abc.123.example.com to allow only its own A record >> mail2.abc.123.example.com to allow only its own A record >> and >> abc.123.example.com to allow the 2 MX records. >> >> or should >> all >> the records be entered at example.com? (which performs a completely >> different function using other mail servers and will have it's own set of >> SPF rules) >> >> The RFC uses: >> <domain> - the domain portion of the "MAIL FROM" or "HELO" identity. >> >> Does <domain> always equal only to a fully qualified domain name? >> >> I'm investigating SPF records of some institutions that I believe are >> wrong. All their SPF records are included only in their top domain. >> >> Regards, >> Danie de Jager >> > >
- [spfbis] Clarity on location of SPF records Danie de Jager
- Re: [spfbis] Clarity on location of SPF records Dave Crocker
- Re: [spfbis] Clarity on location of SPF records Scott Kitterman
- Re: [spfbis] Clarity on location of SPF records Dave Crocker
- Re: [spfbis] Clarity on location of SPF records S Moonesamy
- Re: [spfbis] Clarity on location of SPF records Danie de Jager
- Re: [spfbis] Clarity on location of SPF records Danie de Jager