Re: [spfbis] guidance on SPF record locations

Scott Kitterman <spf2@kitterman.com> Tue, 28 April 2020 20:41 UTC

Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14D723A0CAB for <spfbis@ietfa.amsl.com>; Tue, 28 Apr 2020 13:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=iBusyGNK; dkim=pass (2048-bit key) header.d=kitterman.com header.b=asTFi052
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ClvjwJnS0yNX for <spfbis@ietfa.amsl.com>; Tue, 28 Apr 2020 13:41:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 746913A0C8F for <spfbis@ietf.org>; Tue, 28 Apr 2020 13:41:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 2ADA7F802BE for <spfbis@ietf.org>; Tue, 28 Apr 2020 16:41:08 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1588106468; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=a+0sZ4+GndFTB1L5ywUHSdlCHCoIsICQWJdf7vA0mXw=; b=iBusyGNKu+9GUPDuIy0IL2WQtThctdLQRIb0fdqIX2ISA2qcObFkn2KjWSIPt1DcMcqu1 JT7vLovkaONANb0Bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1588106468; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=a+0sZ4+GndFTB1L5ywUHSdlCHCoIsICQWJdf7vA0mXw=; b=asTFi052sbxXSM5tJxlwmweCX6gyVhia87wYVYVgzNMgmABLmCvc+wNFiMBk+nP1Oc32l SmciaS/3B7TdOEtFVpUF/LhK9/iTjFCyJbEGA/4UV3djQKiOBOYvyCDL7gAn4EPiiBM/gR8 5g5tk7QVlMKis8IzhoscoyxIeqwGZl6lVPxdAI3713vFdbSumbIdItdx/rKQNLnvI/6L9he MA2ekFMy6VgZ0EGfjRHJWHnO9Tn4eWobwzAt/sPGVOyZWcz++a/1UPy1Pj9g1L+2dLBISin tdnqGNJc34G7lARKTcae9Gh3NGDwPi3hECJSgQIwKdoVR/tcI9CTqYy/08uQ==
Received: from sk-desktop.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 00EA9F800E7 for <spfbis@ietf.org>; Tue, 28 Apr 2020 16:41:07 -0400 (EDT)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Tue, 28 Apr 2020 16:41:07 -0400
Message-ID: <7636722.4rXxDbLlSY@sk-desktop>
In-Reply-To: <CAC6Wms4_NVC4LXe2X4jEiYnm2dccxTAF+rkF4fWaa2KmubETXw@mail.gmail.com>
References: <CAC6Wms4_NVC4LXe2X4jEiYnm2dccxTAF+rkF4fWaa2KmubETXw@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/Gbybug5nGWUCqr6-CwClJnUnRTI>
Subject: Re: [spfbis] guidance on SPF record locations
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 20:41:11 -0000

On Tuesday, April 28, 2020 1:28:27 PM EDT Danie de Jager wrote:
> Hi,
> 
> Our best practise is to add a SPF record to all DNS zones, to either
> allow or block the sending of email from that Domain name. This can
> create issues when adding SPF records to DKIM selectors so that they
> are included. What do you think? Should some domains not have SPF
> records?
> 
> Sending domains used:
> example.com.   IN TXT  "v=spf1 ip4:192.0.2.1 ip4:192.0.2.129 -all"
> 
> Domain not sending email.
> www.example.com.   IN TXT  "v=spf1 -all"
> ftp.example.com.   IN TXT  "v=spf1 -all"
> 
> Possible problem domain:
> selector._domainkey.example.com    IN TXT  "v=DKIM1; p=yourPublicKey"
> selector._domainkey.example.com    IN TXT   "v=spf1 -all"

It's not a problem:

1.  You can have more than one DNS record of type TXT, so publishing that SPF 
record doesn't hurt anything.

2.  Underscored domain names aren't valid host names so they can't be used in 
mail or for most anything else, so publishing that SPF record isn't necessary.

Scott K