spf-discuss
[Top] [All Lists]

RE: rr.com and SPF records

2005-03-16 17:05:50
On Wed, 16 Mar 2005, at 23:46, Julian Mehnle wrote:

Todd Herr wrote:
So, just so I'm clear on things here...

Would the following be an acceptable SPF record for rr.com?

"v=spf1 ip4:24.30.203.0/24 ip4:24.28.200.0/24 \
        ip4:24.28.204.0/24 ip4:24.30.218.0/24 \
        ip4:24.93.47.0/24 ip4:24.25.9.0/24 \
        ip4:65.24.5.0/24 ip4:24.94.166.0/24 \
        ip4:24.29.109.0/24 ip4:66.75.162.0/24 \
        ip4:24.24.2.0/24 ip4:65.32.5.0/24 +mx ~all"

Acceptable, that is, from the standpoint of fewer than 10 methods
and guarding against the forged @rr.com sender that Radu spoke of
upthread?

From _that_ standpoint: yes.

But does the record authorize _more_ IP addresses for sending mail from
rr.com than necessary?  In other words: is it too broad?

  $ for a in $(
  >>     dig +sho rr.com MX | cut -d' ' -f2
  >> ); do
  >>     dig +sho $a A
  >> done | sort | uniq | wc -l
  36

As far as I can see, the above record authorizes 12*254 + 36 = 3084 IP
addresses to send mail from the domain rr.com.  Is this appropriate?


I think it's the best we can do, really.  At present, we've got 3
or 4 SMTP servers in each of the /24s listed above; listing them
all by IP would go well beyond the 512 byte limit for the DNS
record.  We may someday have all of our outbound servers in one
DNS domain, so we can shorten things up then).

Remember, too, that the SPF record for rr.com is first and
foremost, from my perspective, there to communicate to other ISPs
and whatnot where our servers are; the likelihood of legitimate
outbound mail ending in '@rr.com' is quite small.  Publishing
/24s in this SPF record means that we don't have to keep track
of and notify each ISP that has asked for the information in the
past; moreover, those ISPs don't have to update any lists which
they may maintain regarding our SMTP servers each time we add
one.  So long as we keep our servers in these networks, the
record conveys the information that we want to and that others
will require.

-- 
Todd Herr
Senior Security Policy Specialist/Postmaster      V: 703.345.2447
Time Warner Cable IP Security                     M: 571.344.8619
therr(_at_)security(_dot_)rr(_dot_)com                           AIM:  
RRCorpSecTH