<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/09/2017 10:30 AM, Angelo McComis
wrote:<br>
</div>
<blockquote
cite="mid:CAK1KucSjr4KKTsYw9=2AKvt_Dr0LanK1QvAGv7RKLS58vRTPQA@mail.gmail.com"
type="cite">
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">Rob
Stampfli has an email domain of <a moz-do-not-send="true"
href="http://cboh.org">cboh.org</a>.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">My
domain is hosted on google, so I checked, and only Rob's message
about gracefully doing nothing showed up in the spam. And it
tells me why: Gmail thinks the message is spoofed. Why does it
think that? Because <a moz-do-not-send="true"
href="http://cboh.org">cboh.org</a> has a command in their SPF
record that says if the message comes from my domain, but
doesn't come from a host that is listed as one of its (<a
moz-do-not-send="true" href="http://cboh.org">cboh.org</a>'s)
own servers, as listed in their MX records, reject it.</div>
</blockquote>
<br>
I also outsource to Googoo for email. (see "Google Services" below)
Even given the present pain, their filtering is better than most and
far better than I could do on my own. <br>
<br>
Even so, some mail from me gets filtered. (Or maybe I talk too much
and my friends get tired of replying?) <br>
<br>
<br>
<blockquote
cite="mid:CAK1KucSjr4KKTsYw9=2AKvt_Dr0LanK1QvAGv7RKLS58vRTPQA@mail.gmail.com"
type="cite">
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">A
la: </div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">#>
nslookup set type=txt</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"><a moz-do-not-send="true" href="http://cboh.org">cboh.org</a>
text =</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"> "v=spf1 mx -all"</font></div>
</div>
</blockquote>
<br>
I've used <a
href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">SPF</a>
since before going Google. Lately I wasn't sure it was being used as
much (having fallen to DKIM on the hotness scale; everybody's into
the latest shiny thing w/r/t security). In particular, "SPF" was
introduced as a DNS record type, and lately it seems we're <a
href="https://tools.ietf.org/html/rfc7208#section-3.1">having to
go back to TXT records for SPF work</a>. Meh. <br>
<br>
<br>
<blockquote
cite="mid:CAK1KucSjr4KKTsYw9=2AKvt_Dr0LanK1QvAGv7RKLS58vRTPQA@mail.gmail.com"
type="cite">
<div class="gmail_default">
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif">Notice the"-all" --- that is the hard fail
command. Mail processors are welcome / encouraged to fail
this message.</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif">I'm not picking on Rob, by any means. But, when
you send email that's likely to go through a list that acts
as a re-mailer, this -all can cause problems.</font></div>
</div>
</blockquote>
<br>
But if I'm reading it right, any sender which is also recognized as
a receiver would be okay. Right? <br>
<br>
My SPF record shared here for sake of discussion ... <br>
<br>
<blockquote><font face="Courier New, Courier, monospace">[blank]
IN TXT "v=spf1 a aaaa mx ip4:198.178.231.250
ip4:174.105.80.118 include:_netblocks.google.com
include:aspmx.googlemail.com include:_spf.google.com ~all"</font><br>
</blockquote>
<br>
Watch out for line wrap. Breakout in the next few paragraphs. <br>
<br>
The leading blank is because the TXT record follows the SOA record
after NS and MX records. So the SPF record inherits the assignment
from the SOA record. (It's for the whole domain.) <br>
<br>
<font face="Courier New, Courier, monospace">v=spf1</font> <br>
identifies this TXT record for use with SPF and not some other
purpoes <br>
<br>
<font face="Courier New, Courier, monospace">a</font> and <font
face="Courier New, Courier, monospace">aaaa</font> <br>
means (I think) that any sender with an A or AAAA record in my
domain is okay <br>
<br>
<font face="Courier New, Courier, monospace">mx</font> <br>
means that any sender which would also be a receiver (a mail
exchanger) is okay <br>
<br>
<font face="Courier New, Courier, monospace">ip4:198.178.231.250</font>
<br>
<font face="Courier New, Courier, monospace">ip4:174.105.80.118</font>
<br>
mean that 198.178.231.250 and 174.105.80.118 are explicitly okay as
senders <br>
And here I really should add some IP6 entries since I claim to be so
fond of IPv6. But how long can a TXT record be? Or can we have
multiple TXT records serving SPF? This particular mechanism maybe
doesn't scale as well as the others. <br>
<br>
<font face="Courier New, Courier, monospace">include:_netblocks.google.com</font>
<br>
<font face="Courier New, Courier, monospace">include:aspmx.googlemail.com</font>
<br>
<font face="Courier New, Courier, monospace">include:_spf.google.com</font>
<br>
more Googoo stuff <br>
Gotta go back and read the details of what they're doing and how it
affects what I gotta do for SPF. <br>
<br>
<font face="Courier New, Courier, monospace">~all</font> <br>
soft fail all other senders <br>
Methinks this would be a problem for traditional email exploders (a
multi-recipient alias relay in Postfix). <br>
<br>
<br>
<blockquote
cite="mid:CAK1KucSjr4KKTsYw9=2AKvt_Dr0LanK1QvAGv7RKLS58vRTPQA@mail.gmail.com"
type="cite">
<div class="gmail_default">
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif">Combine that failure with DKIM signing - which
also gets blown up because colug's listserv adds a header
(which means the DKIM signature no longer matches), and
suddenly you start looking "spammy"</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif">Recommendation: If you run your own domain (a
lot of us do), check your SPF record in DNS, and consider
changing to ~all or ?all rather than -all.</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font color="#330033" face="verdana,
sans-serif">~Angelo</font></div>
</div>
</blockquote>
<br>
Hence this thread fork. I put "<font face="Courier New, Courier,
monospace">~all</font>" and I'm not sure if maybe I should use "<font
face="Courier New, Courier, monospace">?all</font>" instead.
Whadaya think? <br>
<br>
More interesting (to me) is whether or not I have IP4 and IP6 and MX
values set correctly. <br>
<br>
<br>
About Google services: <br>
Skippy turned me on to Google "Apps for Domains". The single biggest
value we get from it is email filtering. It's handy also that "<font
face="Courier New, Courier, monospace"><a class="moz-txt-link-abbreviated" href="mailto:rmt@casita.net">rmt@casita.net</a></font>" is a
Google ID for various other things. <br>
<br>
At the time I got into it, they allowed up to ten mailboxes at no
charge. It appears that <font face="Courier New, Courier,
monospace">casita.net</font> is grandfathered into that which is
no longer offered. A year or two later, my son bought a domain and
we tried to set it up for Googoo apps. We were only able to get a
one-month intro. Bummer. <br>
<br>
They still support IMAP, XMPP, and other goodness. <br>
<br>
<br>
About shiny things and security: <br>
Russ has called me down for being a stick-in-the-mud about some
kinds of sec tech. It's always a re-analysis ... how much is
objection based on principle and how much is learning curve
laziness? <br>
<br>
<a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DKIM</a>
is crypto. I <i>love</i> crypto. I <i>don't</i> love exclusive
trust or exclusionary methods. <br>
So the beautiful thing about DKIM is receiving systems go back to
the supposed sender for verification, "did you send this?" (not in
so many words). No need for a third party like with PKI. <br>
<br>
Question: can I use DKIM with Postfix? or even with Sendmail? Or
what MTA do y'all use? <br>
Today, I get DKIM for free from Google. The day will come when I no
longer lean on Google. (As I've always said, I use them but I don't
trust them. Their "don't be evil" mantra is easily redefined.) <br>
<br>
The DKIM working group chair is (was) <a
href="https://en.wikipedia.org/wiki/Barry_Leiba">Barry Lieba</a>.
(Mark Delany invented it. Others helped. Barry herded the cats.)
Interesting to see people that you know personally from years ago
now working on something really cool. Barry's involvement gives the
project high marks because my long-time impression of Barry is that
he has a clue. Unlike other developments, DKIM <i>itself</i>
doesn't break anything. Ahhh....... <br>
<br>
<br>
-- R; <><<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>