Calling all SPF anti-spam experts!
Dec. 19th, 2005 12:34 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
yesthattomThe email server whatexit.org relays its email to mail.megapathdsl.net because the IP address range that it is on is marked as “DSL or dial-up” in some of the RBLs. Yet, AOL and Comcast sometimes block email leaving my system. The recent complaint was email from a user that sends his email as USER@acm.org, but since he uses mutt to change the From: line the ISPs aren’t fooled and the bounce goes to USER@whatexit.org.
Can people that understand these things more than I do check my SPF entry?
Any thoughts?
Tom
Can people that understand these things more than I do check my SPF entry?
whatexit.org. IN TXT “v=spf1 ip4:64.32.179.56 ip4:193.195.87.251 a a:gsp.whatexit.org include:megapathdsl.net ?all”Any thoughts?
Tom
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-12-19 05:54 pm (UTC)no subject
Date: 2005-12-19 06:17 pm (UTC)The only thing that SPF breaks horribly are .forward's. There are, however, ways around that that they have on the OpenSPF (http://www.openspf.org/faq.html#forwarding) website.
no subject
Date: 2005-12-19 06:34 pm (UTC)As we send many many thousands of emails to AOL on a weekly basis, he's spent a bunch of time dealing with this.
no subject
Date: 2005-12-19 06:36 pm (UTC)"Although arguably whitelisting is a policy decision.
So to correct myself, they don't use a SPF failure for blocking. They use SPF only for lowering their administrative overhead for dealing with other ISPs whitelisting/feedback loop requests/updates"
no subject
Date: 2005-12-19 06:42 pm (UTC)But, since then, I haven't had any users bitching at me that they're not getting emails from my lists anymore ;-)
no subject
Date: 2005-12-19 06:24 pm (UTC)(b) It's my suspicion (although I haven't gotten hard proof) that include: sometimes has iffy results, because different mail servers interpret it differently. (If megapathdsl.net says "mx ptr", some receiving mail servers will accept mail from megapathdsl's mx entries and anything that reverse looks up to them; others will include YOUR mx and ptrs, which isn't what you want.)
(c) Try sending me an email message? app at pobox dot com. Since they invented and promote SPF, they have a kind of canonical reference, and I've gotten rather skilled at looking at the headers. Alternatively, you can use http://www.openspf.org/why.html to test the megapath server it would originate from and your envelope-from, to see how things are being evaluated in a testbed.
doesn't smell like an SPF problem to me
Date: 2005-12-19 06:24 pm (UTC)user@acm.org, the receiving ISP should check the (non-existent) SPF records for acm.org, not those of whatexit.org. If the remote site is checking watexit.org's SPF records, it's probably using a different 'From' than you're expecting.Given the information that bounces go to
user@whatexit.org, it sounds like mutt is only rewriting the From: header and not the 'From' in the message envelope. If you were using sendmail, you could use the genericstable map to rewrite the envelope From: it's an easy map to set up if you understand how to set up virtusertable. Since it looks like you're using Postfix, you'd want whatever the inverse of a virtual user map is.Does the failure notice specifically mention SPF? You'd still have a problem with ISPs refusing the mail because it came from a dial-up IP or because it didn't come from the expected (based probably on MX records) server.
Have I mentioned today that SPF is one of several anti-spam tools that doesn't work particularly well for users who need to send mail with a return address different from their ISP address and can't or don't want to use a VPN, web mail or similar "shift of mail origin" tool?
Re: doesn't smell like an SPF problem to me
Date: 2005-12-20 07:07 pm (UTC)set envelope_from=yes
set use_from=yes
in .muttrc (or the system Muttrc)
Now the "From: " address used by the user will also be the envelope From address. Your server may put on warnings (sendmail does, by default) in the X- headers to show the envelope from was changed. (works for me with sendmail, anyway!)
no subject
Date: 2005-12-19 06:24 pm (UTC)"v=spf1 a ip4:64.32.179.56 mx include:megapathdsl.net ~all"?
(the ?all means "Well I dunno, maybe it's from us, it may not be, however, but we're not going to say either way.")
using a:gsp.whatexit.org and ip4:64.32.179.56 is redundant. Just use the IP, it saves the named lookup. (and you probably want to drop crumb at this point..)
Now, of course, what would really be helpful is to know _why_ it's blocking mail from your system. Can you get a hold of one of the bounce URLs?
no subject
Date: 2005-12-19 06:25 pm (UTC)no subject
Date: 2005-12-19 06:25 pm (UTC)But otherwise you're declaring that mail comes via two IPs, any A record directly on whatexit.org, any A record on gsp.whatexit.org (currently redundant with the first ip4, but redudancy is okay here), and anything megapathdsl.net says is okay for their domain.
Your MX records specify some psmtp.com things. Those are *only* for incoming email, not ever outgoing email? If they're ever for outgoing, an "mx" in the SPF record would be good...
Assuming megapath isn't doing horribly strange things (like sending email out via a different IP than the one you're delivering the mail to), I can't see anything wrong with your SPF record. Maybe it's something else. Like that DUL thing.
no subject
Date: 2005-12-20 03:15 am (UTC)My world just shrank at an uncomfortable rate.
(I have no help for Tom on this issue, not surprisingly...)
no subject
Date: 2005-12-19 06:27 pm (UTC)http://www.openspf.org/wizard.html?mydomain=whatexit.org&x=0&y=0
will give you a full decode of your SPF config.
He continues:
"The problem re: user@acm vs user@whatexit is because a) mutt (at least everything but current experimental) has no SMTP support and b) the local MSA is configured to not allow user to set their sender
Now depending on what Tom is running as his MTA this could be solved in several ways.
But fundamentally this is why SPF is useless in its current incarnation. It doesn't handle problems like this well.
AOL & Comcast aren't making policy decisions based on SPF though.
I know that for a fact (well with AOL anyway -- I'm reasonably certain Comcast isn;t)
I'd be curious to see what the error message from AOL was on a blocked message."
no subject
Date: 2005-12-19 09:00 pm (UTC)For the person who sets their address as @acm.org, a receiving MTA should only filter based on the TXT for acm.org, not the one for whatexit.org.
Your bounces don't appear at glance to be SPF related, but all RBL.
no subject
Date: 2005-12-20 03:21 am (UTC)My assumption is that whatexit.org is on a DSL IP from megapathdsl.net. If that's the case, you should see if you can get reverse DNS assigned to whatexit.org for your IP space.
I've had mail from my server bounce (specifically to Comcast) because of reverse DNS lookup failure. My ISP will let me set reverse DNS for my IP space, I just haven't done it yet because that's on the edge of my knowledge limits.