Hello Todd.
Todd Herr wrote:
My name is Todd Herr, and I'm the Postmaster for Road Runner
(rr.com). I'm also the person responsible for our SPF records.
Good to hear from you! :-)
# dig +sho houston.rr.com txt
"v=spf1 redirect=texas.rr.com"
# dig +sho austin.rr.com txt
"v=spf1 redirect=texas.rr.com"
# dig +sho satx.rr.com txt
"v=spf1 redirect=texas.rr.com"
# dig +sho texas.rr.com txt
"v=spf1 ip4:24.93.47.0/24 ip4:24.28.204.15 ip4:24.28.204.16 +mx ~all"
Given that our customer email addresses would be in the
houston.rr.com, or austin.rr.com, or satx.rr.com domains, do our
SPF records meet the fewer than 10 DNS mechanism guidelines
here?
For example:
| $ dig +sho houston.rr.com TXT
| "v=spf1 redirect=texas.rr.com"
| $ dig +sho texas.rr.com TXT
| "v=spf1 ip4:24.93.47.0/24 ip4:24.28.204.15 ip4:24.28.204.16 +mx ~all"
| $ dig +sho texas.rr.com MX
| 20 orngca-02.mgw.rr.com.
| 30 hrndva-01.mgw.rr.com.
| 30 hrndva-02.mgw.rr.com.
| 10 austtx-01.mgw.rr.com.
| 10 austtx-02.mgw.rr.com.
| 20 orngca-01.mgw.rr.com.
So evaluating the sender policy for houston.rr.com involves at maximum 2
mechanisms/modifiers (one "redirect" and one "mx"), and at maximum 6 MX
lookups for the "mx" mechanism. So, yes, this is well within the limits.
Our rr.com SPF record exists primarily, in my opinion, to give
us a standards-based way to answer the not-infrequent question
we receive from other ISPs. That question is, "Can you tell
me where your outbound mail servers are, so that we may
whitelist them?". Being able to point to the SPF record for
rr.com gives us a way to communicate that information in a way
that most ISPs should understand, we believe.
Agreed, this is not a bad idea. But note that SPF implementations might
have problems evaluating the sender policy for rr.com as this would exceed
the limits. As a result, the highly complex sender policy of rr.com
should not be relied on when sending mail directly from rr.com.
That is, you should not send mail directly from rr.com as long as its
sender policy is as complex as it currently is. Or at least, you should
expect SPF checks to fail due to security limits when doing so.
1. Was this discussion had on the spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
list,
or someplace else? (I've just subscribed to this list.)
Yes, spf-discuss.
2. Is there any value, given that this thread seems to have
expired two weeks ago, to my attempting to follow up publicly
to this thread?
Sure, feel free to follow up on the issue. I have taken the liberty of
directly replying to spf-discuss.