At 02:42 AM 12/23/2007 +0000, you wrote:
Julian Mehnle wrote:
Julian Mehnle wrote:
Frank Ellermann wrote:
I think [Google] reject FAIL, [...]
See also <http://www.openspf.org/Frank_Ellermann/Google>, if it's
generally interesting I could move it to an "ordinary" openspf
page.
Before we consider that, how can we be sure that the rejection
demonstrated on that page is actually due to an SPF Fail?
Here's an indication to the contrary from 2007-12-03:
[...]
And here's the result of me sending an SPF-spoofed message to a GMail
account I created ad-hoc:
| Received: by 10.150.202.10 with SMTP id z10cs28334ybf;
| Sat, 22 Dec 2007 18:18:36 -0800 (PST)
| Received: by 10.65.73.16 with SMTP id a16mr4520780qbl.36.1198376315518;
| Sat, 22 Dec 2007 18:18:35 -0800 (PST)
| Return-Path: <julian(_at_)mehnle(_dot_)net>
| Received: from earbone.schlitt.net (openspf.org [76.79.20.188])
| by mx.google.com with ESMTP id h7si3376335roe.17.2007.12.22.18.17.59;
| Sat, 22 Dec 2007 18:18:35 -0800 (PST)
| Received-SPF: fail (google.com: domain of julian(_at_)mehnle(_dot_)net does
not designate 76.79.20.188 as permitted sender) client-ip=76.79.20.188;
| Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of
julian(_at_)mehnle(_dot_)net does not designate 76.79.20.188 as permitted
sender) smtp(_dot_)mail=julian(_at_)mehnle(_dot_)net
I.e., no SMTP-time rejection.
This *is* a surprise!! I get exactly the same result sending from a yahoo.com
account to a gmail.com account, using a box67 return address with a -all SPF
record.
Received: from smtp118.plus.mail.sp1.yahoo.com (smtp118.plus.mail.sp1.yahoo.com
[69.147.95.81])
by mx.google.com with SMTP id n40si5215300wag.34.2007.12.23.00.19.04;
Sun, 23 Dec 2007 00:19:06 -0800 (PST)
Received-SPF: fail (google.com: domain of honeypot(_at_)box67(_dot_)com does
not designate 69.147.95.81 as permitted sender) client-ip=69.147.95.81;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of
honeypot(_at_)box67(_dot_)com does not designate 69.147.95.81 as permitted
sender) smtp(_dot_)mail=honeypot(_at_)box67(_dot_)com
So even if we are in that brave 3% publishing -all, our policy is likely to be
ignored by large ESPs!
I tried it in the other direction - from Gmail to Yahoo, and it also went
through. In this case, however, I see that the envelope return address was my
actual gmail account, not the box67 address that I set up in Gmail's "Send mail
as" account setup page. It seems Google is doing the right thing for SPF,
although I think some of their users would be surprised to know that their real
email address is not secure.
Here is my latest theory about what Google is doing. They actually, in spite
of their lack of communication and response to complaints, are trying to do the
right thing. The huge number of IP addresses in their SPF record is because
they actually have legitimate mail coming from webmail accounts, blogger
accounts, whatever, and the machines running those services can be anywhere in
their worldwide network. They could do a better job of detecting and limiting
outgoing spam, but the status quo is good enough. Improving the reputation on
their outgoing mail is not worth the cost of routing it all through a few
special servers.
As for the ~all in their own SPF record, they are apparently concerned about
false rejects that can occur with -all (due to the "forwarding problem"). A
softfail ~all will hopefully get someone's attention at the receiving end,
perhaps even a notification back to Google, where a -all will more likely get a
reject with notice only to the forwarder.
I wish I could be more confident that the -all in my SPF record isn't causing a
problem. It is hard to know when a message is lost, and even harder to track
down the cause.
-- Dave
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=78935970-2faf34
Powered by Listbox: http://www.listbox.com