[colug-432] SPF and other stuff for personal domains

Rob Stampfli rob944 at cboh.org
Mon Feb 13 14:34:51 EST 2017


On Mon, Feb 13, 2017 at 10:26:12AM -0500, Rick Troth wrote:
> I've used SPF <https://en.wikipedia.org/wiki/Sender_Policy_Framework>
> since before going Google. Lately I wasn't sure it was being used as
> much (having fallen to DKIM on the hotness scale; everybody's into the
> latest shiny thing w/r/t security). In particular, "SPF" was introduced
> as a DNS record type, and lately it seems we're having to go back to TXT
> records for SPF work <https://tools.ietf.org/html/rfc7208#section-3.1>.
> Meh.

I believe DMARC is the current standard which most of the big guys use.
It leverages SPF with DKIM to make a reasonable effort at determining
the authenticity of a piece of email.  DMARC credentials are specified
in a DNS TXT record, but under the subdomain "_dmarc" (i.e.,
_dmarc.cboh.org).  (This is really how SPF *should* have been set up as
well.  Initially, they applied for and got a new "SPF" DNS record, but
the issuing body apparently had second thoughts because SPF records are
now deprecated and you are encouraged to use simple TXTs instead.)

DMARC has its own arguments for determining the disposition of a message
that fails its tests.  By default, both SPF and DKIM are used to verify
a piece of email and if *either* passes, the email is judged legit.
(Thus, a message can pass DMARC and be considered genuine even if it
fails SPF and SPF has it marked to reject.) This algorithm works in
most situations, but with list servers it fails because (1) the list
email typically comes from an invalid server with respect to the author's
domain (resulting in an SPF failure) and (2) it almost certainly has been
altered, however slightly, by the listserver between its reception and
re-transmission (a DKIM failure).

> > Notice the"-all" --- that is the hard fail command.  Mail processors
> > are welcome / encouraged to fail this message.
> >
> > I'm not picking on Rob, by any means. But, when you send email that's
> > likely to go through a list that acts as a re-mailer, this -all can
> > cause problems.
> 
> But if I'm reading it right, any sender which is also recognized as a
> receiver would be okay. Right?

My SPF specifies that any server that is allowed to receive cboh.org
email is also allowed to originate it, which pretty handily describes
my set-up.  COLUG is the only list I belong to where my DMARC/SPF/DKIM
configurations pose a problem, so I am reluctant to change them because
any changes cannot be done in a vacuum and doing so would affect other
aspects of my email handling and security (previously discussed).

I suppose I could add the COLUG email server to my list of SPF-approved
domains for originating cboh.org emails, but that seems like a giant
kludge.  Hence, this message will likely wind up only being seen by a
small percentage of you.

Rob


More information about the colug-432 mailing list