spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF basics commentary

2007-01-29 12:09:32
Daniel Taylor wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My mailreader mangled the quotes horribly, my apologies if I don'y get
all the cleanup right.

Terry Fielder wrote:
Daniel Taylor wrote:
Stuart D. Gathman wrote:
On Mon, 29 Jan 2007, Seth Goodman wrote:

I'm well aware that a number of incompetent ISP's don't delegate PTR
for
static IP's.  In the developed world, the answer is to host your server
in a facility that delegates PTR, and that may not be your ISP. Outside
the developed world this is not so practical, and those folks will
continue to have trouble getting their mail delivered to MTA's that
insist on matching PTR records.  SPF does not fix this problem because
it relies on forward DNS only.
I get the picture.  So IPv4 is officially unusable for us poor folk.
I guess I need to start figuring out how to set up IPv6 email, where
I can set my own rDNS.

How do I send from an IPv6 address if the MX records for the destination
domain list only IPv4 hosts?  Use a relay with SMTP AUTH?  Who offers
such a service?  All IPv4 SMTP relays I've seen don't prevent
cross-customer
forgery (except maybe Kitterman's), so you are actually *more* likely
to get
forged mail if you force me to go that route.  Seems counter productive.

Delegating PTR for anything less than a full /24 network block does not
appear to be practical, if it is even possible. On the other side of the
coin, most ISPs that cater more to a technical or business audience have
no trouble with setting the PTR for your IP(s) appropriately to your
needs.

Even the consumer oriented ISPs frequently have business divisions that
charge a hefty premium but are happy to provide such services.

Failure to have any PTR record *at all* for a particular IP will keep
you from sending e-mail regardless of SPF settings, as most standard
MTAs (Sendmail and Postfix I know for certain) will check for the
existence of rDNS,

granted, MTA's check for a reverse existing (may or may not match domain)
But, is it a technical assertion that to have a reverse DNS one must
have a PTR.  I was not aware of that...

The PTR record is the rDNS entry.
"Yes" would suffice. I reckon I just exposed the fact that I only enter the forwards in my zone files, the ISP's do my reverses.
Forward DNS:
mail.example.com        A       999.1.2.3

Reverse DNS:
3.2.1.999       PTR     mail.example.com

Of course, these lines go into the delegation files for example.com and
2.1.999.in-addr.arpa respectively.

What about multi homed mail servers? The reverses for both IP's of said server would work, but the forward...
Terry

and frequently verify that with a forward lookup to
see if it matches,
Um, really??? Most forwards point to the website server, not the MTA. Only in some cases is that the same IP.
Are you sure of your statement?
Or are we talking about a fully qualified host name (not just the
domain).  And if so, from where are you assuming this name comes from?

In the example above, if the A record for mail.example.com were missing,
or pointed to a different IP address, it would fail a validating PTR
check and the connection would be closed without SPF ever getting called.

Stuart's examples of standard ISP block addresses in his response to my
message would probably all pass a validating rDNS check because those
names would forward map to the same IP address as the reverse entry.


Now, all this does nothing to help if you have the SPF record:
example.com   SPF   "v=spf1 ptr -all"
and example.com is hosted at 71-13-88-230.static.bycy.mi.charter.com.
On the gripping hand, if example.com's SPF record reads "v=spf1 a ptr
- -all", then it can pass on the A record, and the PTR problem is moot.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFvkER8/QSptFdBtURAtkDAJ9UU2lUfpjpIc5n+rrB/kJHt5tS/wCfVZ/V
gfwI9vP4HHo985MWH/Oz+H0=
=ltYB
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735