spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Are SPF fault tolerant ? How to make SPF records changed correctly ?

2004-07-12 13:06:54
from [Andrew G. Tereschenko] [Permanent Link] 
Can somebody clarify me this situation:

I'm a small or mid-size company in developing country.
We use a single colocation server on local ISP to send and recieve our
emails.
We configured SPF records to accept emails only from our ISP IP range all
others are "-all".
Something like:
"v=spf1 +mail.ourisp.com/24 -all"
(or instead of -all, we can use ?all or ~all, but select servers can start
to block them too, situation are similar)

1. But here is an accident - fire/tournado/earthquake (think about Silicon
Valley, CA) or 9.11

Our ISP lines damaged. Our server lost.
As part of assistance, ISP from another state provided us new server as
replacement and configured it in _own_ network.

But here a problem:
_Cached_SPF_records_ prevent us from sending emails to our clients.
All messages are 550 blocked becouse of "-all" SPF rule and IP unknown to
our clients.

Cached MX records are okey - all undelivered emails to us are stored in mail
queee and thouse MTAs who will find our new MXes - will deliver them to us.
With a delay, but all of them will be delivered.

Your proposal ?
Do our new server must keep retrying all 550 delivery errors ?
How we can separate valid 550 from SPF 550 ? Will be "Local Policy" error
message search okey (nothing about this in "Fail" error) ?

2. Another sitiation. We found that work-load of our current server
increased (or pricing on another ISP are better) so we need to move to
another ISP.
How many time (based on TTL) it will take to move our server to send emails
correctly without "550" retries ?

3. One more. We do not change ISP. But our ISP willing to change IP netblock
they own OR simply change an IP of our server OR change IP address of
dial-up pool we used to send emails.
The same question - how to do this correctly ? Do we have to delegate our
DNS management in addition to server management to ISP ?
Or we must take such a change burden on ourself ?

Is there any recomentations on TTL for SPF records and caching/validation
process other that http://www.ietf.org/rfc/rfc1537.txt recomended TTL
(downtime) = 1 day ?
Can you document all requered steps how to change SPF records data for
situations described above ?


AFAIK, Nothing like this will happen for DomainKeys. Cached DNS values will
only benefit them - do not hurt in such a situations.
SPF rely on current network configurations - but Internet originaly was
designed to change configuration/routing even in case of WW3 and USSR A-Bomb
attack.

Thanks,
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: "redirect" in an included SPF record, Meng Weng Wong
Next by Date:  Re: Re[4]: Is there is proposed checks on bounces and delivery notification ?, Roger Moser
Previous by Thread:  Intuit, Waitman C Gobble II
Next by Thread:  Re: Are SPF fault tolerant ? How to make SPF records changed correctly ?, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]