Hello,
Our domain is grenoble.cnrs.fr (147.173.x.x) and we wish to secure our
mails exchanges.
So for testing purpose, the following TXT record was added on our DNS:
grenoble.cnrs.fr IN TXT "v=spf1 a -all"
Here are 2 logs we have when making tests :
--- start 1st log ---
>From root(_at_)grenoble(_dot_)cnrs(_dot_)fr Tue Jul 27 17:47:25 2004
Return-Path: <root(_at_)grenoble(_dot_)cnrs(_dot_)fr>
Received: from labs.grenoble.cnrs.fr (labs.grenoble.cnrs.fr [147.173.1.26])
by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with ESMTP id
i6RFlPfe024948
for <gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>; Tue, 27 Jul 2004
17:47:25 +0200
Received: (from root(_at_)localhost)
by labs.grenoble.cnrs.fr (8.12.10/8.12.5/Submit) id i6RFlXxR026713
for gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr; Tue, 27 Jul
2004 17:47:33 +0200
Date: Tue, 27 Jul 2004 17:47:33 +0200
From: root <root(_at_)grenoble(_dot_)cnrs(_dot_)fr>
Message-Id:
<200407271547(_dot_)i6RFlXxR026713(_at_)labs(_dot_)grenoble(_dot_)cnrs(_dot_)fr>
To: gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr
Subject: test from labs machine
Received-SPF: pass (vigie.grenoble.cnrs.fr: domain of
root(_at_)grenoble(_dot_)cnrs(_dot_)fr
designates 147.173.1.26 as permitted sender)
--- end 1st log ---
'vigie.grenoble.cnrs.fr' (147.173.3.28), is a Linux machine acting (for
the test) as a
mail server (running sendmail + SPF).
'labs.grenoble.cnrs.fr' (147.173.3.26), is the only authorisated host to
send mails.
OK here all's right:
-> 'Received-SPF' was added in mail header, result is 'pass' as e-mail
was send from
147.173.1.26
=> grenoble.cnrs.fr is protected against spoofing
--- start 2nd log ---
>From john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org Tue Jul 27 17:52:19
2004
Return-Path: <john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org>
Received: from vigie (reflector.grenoble.cnrs.fr [147.173.3.39])
by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with SMTP id
i6RFpnDH025114
for <gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>; Tue, 27 Jul 2004
17:52:14 +0200
Date: Tue, 27 Jul 2004 17:51:49 +0200
From: john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org
Message-Id:
<200407271552(_dot_)i6RFpnDH025114(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>
Subject: Natural weight loss product
Received-SPF: none (vigie.grenoble.cnrs.fr: domain of
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org does not designate permitted sender hosts)
--- end 2nd log ---
Here is the log of an e-mail (SPAM) we've made (forged) from a linux
box, named
reflector.grenoble.cnrs.fr (147.173.3.39). This mail pretends to come from
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org(_dot_)
For me this seems to be bad because a mail from a non-existing domain is
alway accepted
(because no TXT record). So, real "john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org" will be
insulted by
automatic anti-spams softwares.
Since SPF have seen e-mail was send from 147.173.3.39, it can deduce
from reverse DNS
request that this address belong to grenoble.cnrs.fr and thus if it's
one of the authorizedsenders for this domain.
By asking the spoofed domain of the fake e-mail address we pretend
coming from,
SPF realizes a good domain anti-spoofing, but I think that SPF do more
by ALSO relying
on SMTP sender IP address. Then :
.mail forged will be rejected -> less spams received
.john.smith will not be insulted -> we don't participate to effects of
forged mails
Could SPF propose this option ?
What do you think of that idea ?
Thank in advance and regards,
daniel