[conspire] How not to muck up DNS & domain registration

Rick Moen rick at linuxmafia.com
Wed Apr 13 21:05:00 PDT 2005


Quoting William R Ward (bill at wards.net):

> Thanks to this thread I finally got around to creating SPF RR's for
> wards.net and bayview.com (actually, bayview.com had one but
> domainreport pointed out that it was invalid).  I hope that I did it
> right - I guess if I didn't, the mailing list will not send my mail
> back to me because it checks SPF, right?  We'll see...

1.  Actually, my MTA doesn't check SPF records, at the moment.  When I
last rebuilt my system, I briefly enabled the SPF-checking support in
Exim4-daemon-heavy + SA-Exim + EximConfig + spfd, and the results were
ugly:  It seemed as if spfd wasn't trying to validate the _envelope_
("From ") sender, but rather the inside ("From:") sender.

My MTA during that period objected to mail from just about _any_ mailing
list as supposedly coming from an unauthorised sender.  In particular, 
it rejected mail from Heather Stern <star at starshine.org> relayed via the
blw at baylisa.org mailing list as supposedly being from an unauthorised MX
of starshine.org.

That was very broken behaviour (in case it wasn't clear) -- not at all
the intended type of check.  I didn't have time to figure out what was
going wrong, so immediately disabled the SPF check routines in exim4.conf, 
and haven't yet had time to try again.

So, my domain is currently among the vast number of those that publish
SPF records but don't check other people's.


2.  It's actually not at all a foregone conclusion that mail that fails
an SPF-record check will get refused.  That's just information, after
all -- information on when a piece of received mail is believed to be a
Joe-job.  How the receiving system will act on it is under the local
sysadmin's control.  A local sysadmin implementing SPF checking might,
for example, choose to whitelist a huge number of addresses for other
reasons, or might just tag failing messages with an advisory header that
users can choose to filter on or not.


3.  Anyhow, the mailing list software wouldn't be likely to be the
component doing SPF-checking:  That's more logically something to be
done inside the MTA during the ongoing SMTP session, as mail arrives.

(A mailing list is basically just a big, fancy .forward file, with
automation features.)





More information about the conspire mailing list