Re: [spf-discuss] Google not rejecting on SPF Fail?
2007-12-23 10:47:06
One other surprise I just noticed. Google's Received-SPF header is *below*
their Received header!
Received: from smtp110.plus.mail.sp1.yahoo.com (smtp110.plus.mail.sp1.yahoo.com
[69.147.95.73])
by mx.google.com with SMTP id a8si5500255poa.2.2007.12.23.09.27.32;
Sun, 23 Dec 2007 09:27:33 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning
spamtrap(_at_)box67(_dot_)com does not designate 69.147.95.73 as permitted
sender) client-ip=69.147.95.73;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of
transitioning spamtrap(_at_)box67(_dot_)com does not designate 69.147.95.73 as
permitted sender) smtp(_dot_)mail=spamtrap(_at_)box67(_dot_)com
Received: (qmail 9320 invoked from network); 23 Dec 2007 17:27:31 -0000
Received: from unknown (HELO phred.box67.com)
(david_macquigg(_at_)69(_dot_)9(_dot_)25(_dot_)232 with login)
by smtp110.plus.mail.sp1.yahoo.com with SMTP; 23 Dec 2007 17:27:31 -0000
We had a thorough discussion of proper header order a year ago
http://www.emaildiscussions.com/showthread.php?t=46632, and ended up changing
our Border Patrol MTA to place these headers as expected by most "header
readers" (not in strict chronological order).
-- Dave
At 02:42 AM 12/23/2007 +0000, I wrote:
Julian Mehnle wrote:
Julian Mehnle wrote:
Frank Ellermann wrote:
I think [Google] reject FAIL, [...]
See also <http://www.openspf.org/Frank_Ellermann/Google>, if it's
generally interesting I could move it to an "ordinary" openspf
page.
Before we consider that, how can we be sure that the rejection
demonstrated on that page is actually due to an SPF Fail?
Here's an indication to the contrary from 2007-12-03:
[...]
And here's the result of me sending an SPF-spoofed message to a GMail
account I created ad-hoc:
| Received: by 10.150.202.10 with SMTP id z10cs28334ybf;
| Sat, 22 Dec 2007 18:18:36 -0800 (PST)
| Received: by 10.65.73.16 with SMTP id a16mr4520780qbl.36.1198376315518;
| Sat, 22 Dec 2007 18:18:35 -0800 (PST)
| Return-Path: <julian(_at_)mehnle(_dot_)net>
| Received: from earbone.schlitt.net (openspf.org [76.79.20.188])
| by mx.google.com with ESMTP id
h7si3376335roe.17.2007.12.22.18.17.59;
| Sat, 22 Dec 2007 18:18:35 -0800 (PST)
| Received-SPF: fail (google.com: domain of julian(_at_)mehnle(_dot_)net does
not designate 76.79.20.188 as permitted sender) client-ip=76.79.20.188;
| Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of
julian(_at_)mehnle(_dot_)net does not designate 76.79.20.188 as permitted
sender) smtp(_dot_)mail=julian(_at_)mehnle(_dot_)net
I.e., no SMTP-time rejection.
This *is* a surprise!! I get exactly the same result sending from a yahoo.com
account to a gmail.com account, using a box67 return address with a -all SPF
record.
Received: from smtp118.plus.mail.sp1.yahoo.com
(smtp118.plus.mail.sp1.yahoo.com [69.147.95.81])
by mx.google.com with SMTP id n40si5215300wag.34.2007.12.23.00.19.04;
Sun, 23 Dec 2007 00:19:06 -0800 (PST)
Received-SPF: fail (google.com: domain of honeypot(_at_)box67(_dot_)com does
not designate 69.147.95.81 as permitted sender) client-ip=69.147.95.81;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of
honeypot(_at_)box67(_dot_)com does not designate 69.147.95.81 as permitted
sender) smtp(_dot_)mail=honeypot(_at_)box67(_dot_)com
So even if we are in that brave 3% publishing -all, our policy is likely to be
ignored by large ESPs!
I tried it in the other direction - from Gmail to Yahoo, and it also went
through. In this case, however, I see that the envelope return address was my
actual gmail account, not the box67 address that I set up in Gmail's "Send
mail as" account setup page. It seems Google is doing the right thing for
SPF, although I think some of their users would be surprised to know that
their real email address is not secure.
Here is my latest theory about what Google is doing. They actually, in spite
of their lack of communication and response to complaints, are trying to do
the right thing. The huge number of IP addresses in their SPF record is
because they actually have legitimate mail coming from webmail accounts,
blogger accounts, whatever, and the machines running those services can be
anywhere in their worldwide network. They could do a better job of detecting
and limiting outgoing spam, but the status quo is good enough. Improving the
reputation on their outgoing mail is not worth the cost of routing it all
through a few special servers.
As for the ~all in their own SPF record, they are apparently concerned about
false rejects that can occur with -all (due to the "forwarding problem"). A
softfail ~all will hopefully get someone's attention at the receiving end,
perhaps even a notification back to Google, where a -all will more likely get
a reject with notice only to the forwarder.
I wish I could be more confident that the -all in my SPF record isn't causing
a problem. It is hard to know when a message is lost, and even harder to
track down the cause.
-- Dave
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=78979730-2c95b7
Powered by Listbox: http://www.listbox.com
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [spf-discuss] Re: Google's SPF Record, (continued)
- [spf-discuss] Re: Google's SPF Record, Julian Mehnle
- [spf-discuss] Re: Google's SPF Record, Frank Ellermann
- [spf-discuss] Google not rejecting on SPF Fail?, Julian Mehnle
- Re: [spf-discuss] Google not rejecting on SPF Fail?, David MacQuigg
- Re: [spf-discuss] Google not rejecting on SPF Fail?, Alex van den Bogaerdt
- Re: [spf-discuss] Google not rejecting on SPF Fail?,
David MacQuigg <=
- [spf-discuss] Re: Google not rejecting on SPF Fail?, Julian Mehnle
- Re: [spf-discuss] Re: Google not rejecting on SPF Fail?, David MacQuigg
- Message not available
- Re: [spf-discuss] Re: advice wrong, or is it?, Bill Adragna
- Re: [spf-discuss] Re: advice wrong, or is it?, Gino Cerullo
- Re: [spf-discuss] Re: advice wrong, or is it?, Bill Adragna
- Re: [spf-discuss] Re: advice wrong, or is it?, Alex van den Bogaerdt
- [spf-discuss] SPF PASS spam is good (was:: advice wrong, or is it?), Frank Ellermann
- Re: [spf-discuss] Re: advice wrong, or is it?, David Woodhouse
- Re: [spf-discuss] Re: advice wrong, or is it?, Alex van den Bogaerdt
- Re: [spf-discuss] Re: advice wrong, or is it?, Daniel Taylor
|
|
|