[colug-432] SPF and other stuff for personal domains

Rick Troth rmt at casita.net
Mon Feb 13 10:26:12 EST 2017 

On 02/09/2017 10:30 AM, Angelo McComis wrote:
>
> Rob Stampfli has an email domain of cboh.org <http://cboh.org>.
>
> My domain is hosted on google, so I checked, and only Rob's message
> about gracefully doing nothing showed up in the spam. And it tells me
> why:  Gmail thinks the message is spoofed.  Why does it think that? 
> Because cboh.org <http://cboh.org> has a command in their SPF record
> that says if the message comes from my domain, but doesn't come from a
> host that is listed as one of its (cboh.org <http://cboh.org>'s) own
> servers, as listed in their MX records, reject it.

I also outsource to Googoo for email. (see "Google Services" below) Even
given the present pain, their filtering is better than most and far
better than I could do on my own.

Even so, some mail from me gets filtered. (Or maybe I talk too much and
my friends get tired of replying?)


> A la: 
>
> #> nslookup set type=txt
>
> cboh.org <http://cboh.org>        text =
>
>         "v=spf1 mx -all"

I've used SPF <https://en.wikipedia.org/wiki/Sender_Policy_Framework>
since before going Google. Lately I wasn't sure it was being used as
much (having fallen to DKIM on the hotness scale; everybody's into the
latest shiny thing w/r/t security). In particular, "SPF" was introduced
as a DNS record type, and lately it seems we're having to go back to TXT
records for SPF work <https://tools.ietf.org/html/rfc7208#section-3.1>.
Meh.


> Notice the"-all" --- that is the hard fail command.  Mail processors
> are welcome / encouraged to fail this message.
>
> I'm not picking on Rob, by any means. But, when you send email that's
> likely to go through a list that acts as a re-mailer, this -all can
> cause problems.

But if I'm reading it right, any sender which is also recognized as a
receiver would be okay. Right?

My SPF record shared here for sake of discussion ...

    [blank]  IN  TXT  "v=spf1 a aaaa mx ip4:198.178.231.250
    ip4:174.105.80.118 include:_netblocks.google.com
    include:aspmx.googlemail.com include:_spf.google.com ~all"


Watch out for line wrap. Breakout in the next few paragraphs.

The leading blank is because the TXT record follows the SOA record after
NS and MX records. So the SPF record inherits the assignment from the
SOA record. (It's for the whole domain.)

v=spf1
identifies this TXT record for use with SPF and not some other purpoes

a and aaaa
means (I think) that any sender with an A or AAAA record in my domain is
okay

mx
means that any sender which would also be a receiver (a mail exchanger)
is okay

ip4:198.178.231.250
ip4:174.105.80.118
mean that 198.178.231.250 and 174.105.80.118 are explicitly okay as senders
And here I really should add some IP6 entries since I claim to be so
fond of IPv6. But how long can a TXT record be? Or can we have multiple
TXT records serving SPF? This particular mechanism maybe doesn't scale
as well as the others.

include:_netblocks.google.com
include:aspmx.googlemail.com
include:_spf.google.com
more Googoo stuff
Gotta go back and read the details of what they're doing and how it
affects what I gotta do for SPF.

~all
soft fail all other senders
Methinks this would be a problem for traditional email exploders (a
multi-recipient alias relay in Postfix).


> Combine that failure with DKIM signing - which also gets blown up
> because colug's listserv adds a header (which means the DKIM signature
> no longer matches), and suddenly you start looking "spammy"
>
> Recommendation:  If you run your own domain (a lot of us do), check
> your SPF record in DNS, and consider changing to ~all or ?all rather
> than -all.
>
> ~Angelo

Hence this thread fork. I put "~all" and I'm not sure if maybe I should
use "?all" instead. Whadaya think?

More interesting (to me) is whether or not I have IP4 and IP6 and MX
values set correctly.


About Google services:
Skippy turned me on to Google "Apps for Domains". The single biggest
value we get from it is email filtering. It's handy also that
"rmt at casita.net" is a Google ID for various other things.

At the time I got into it, they allowed up to ten mailboxes at no
charge. It appears that casita.net is grandfathered into that which is
no longer offered. A year or two later, my son bought a domain and we
tried to set it up for Googoo apps. We were only able to get a one-month
intro. Bummer.

They still support IMAP, XMPP, and other goodness.


About shiny things and security:
Russ has called me down for being a stick-in-the-mud about some kinds of
sec tech. It's always a re-analysis ... how much is objection based on
principle and how much is learning curve laziness?

DKIM <https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail> is
crypto. I /love/ crypto. I /don't/ love exclusive trust or exclusionary
methods.
So the beautiful thing about DKIM is receiving systems go back to the
supposed sender for verification, "did you send this?" (not in so many
words). No need for a third party like with PKI.

Question: can I use DKIM with Postfix? or even with Sendmail? Or what
MTA do y'all use?
Today, I get DKIM for free from Google. The day will come when I no
longer lean on Google. (As I've always said, I use them but I don't
trust them. Their "don't be evil" mantra is easily redefined.)

The DKIM working group chair is (was) Barry Lieba
<https://en.wikipedia.org/wiki/Barry_Leiba>. (Mark Delany invented it.
Others helped. Barry herded the cats.) Interesting to see people that
you know personally from years ago now working on something really cool.
Barry's involvement gives the project high marks because my long-time
impression of Barry is that he has a clue. Unlike other developments,
DKIM /itself/ doesn't break anything. Ahhh.......


-- R; <><







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20170213/c11473bb/attachment-0001.html

More information about the colug-432 mailing list