[BCLUG] Interesting email about domain expiring - SPF vs SPAM question
BCLUG
admin at bclug.ca
Fri Aug 19 06:21:18 EDT 2022
Rick Moen wrote on 2022-08-18 19:06:
> Am inferring "this domain" = bclug.ca .
Correct.
>> Looking further, the SPF/TXT records for the domain all end with
>> "~all".
>
> Checking.
>
> :r! dig -t txt bclug.ca +short "v=spf1 +a +mx +a:lists.bclug.ca
> +ip4:199.212.143.222 +a:69.172.190.161 -all"
>
> Late thought: Presumably this is after you changed ~ to -.
Correct again.
> Let's get to the syntax problems in
>
> "v=spf1 +a +mx +a:lists.bclug.ca +ip4:199.212.143.222
> +a:69.172.190.161 -all" :
>
> First problem: The syntax of each and every object in there is
> wrong, because there's not supposed to be a "+" on any of them. Field
> guide to syntax (one of many):
> https://support.google.com/a/answer/10683907
That link has a chart of "optional qualifiers" that lists the "+-~?"
characters; I assume they're allowed (optionally) for explicitness?
Google (link above) states about "mechanisms" (v,ip4,a,mx,...):
> You can use optional SPF record qualifiers with mechanisms.
> Second problem: Aside from the +, the "a:lists.bclug.ca" is valid
> syntax (will become valid once you remove the +). But, seems to me,
> "a:lists.bclug.ca" is redundant to "ip4:199.212.143.222" -- because
> that's where the a record resolves to.
Yes, I initially used both because I wasn't sure they'd continue to
resolve to the same address.
> :r! dig -t a lists.bclug.ca +short 199.212.143.222
>
> So, I'd say, lose "a:lists.bclug.ca", because all you're doing is
> making SMTP servers do pointless additional DNS lookups, just to
> process your SPF declarations.
Not a bad idea, but I think that a "pass" ends the SPF processing (from
the Google link you provided):
> Mechanisms are checked in the order they occur in the SPF record. If
> a mechanism doesn’t have a qualifier and there’s a match, the default
> action is pass authentication.
> Third problem: "a" (which you wrote as "+a") is redundant to
> "ip4:199.212.143.222":
>
> :r! dig -t a bclug.ca +short 69.172.190.161
>
> So, I'd say, lost "a", too.
That one definitely needs changing, because it's an incorrect use of
"a", should be "ip4".
Somehow I (incorrectly) thought that a "mechanism" of "a" meant
"the sender has a DNS A record", instead of the correct "Authorize mail
servers by domain name".
That's a pretty big mistake.
But, I'll keep it as an "ip4" so my home-based server can send
occasional emails.
> It's not entirely clear to me why you declare the same IP twice as
> both higher-priority and lower-priority MX.
Good catch. Again, wasn't initially sure they'd be hosted on same
server. Half expected to relocate to another VPS.
> Important: There might be reasons why you want to add something
> else, e.g., adding "a" or "mx" might be justifiable in the sense of
> making your SPF declarations remain accurate if you changed your MX
> DNS records but forgot to change the IPs in the SPF RR. Only you
> can decide how complex you_need_ your SPF RR to be. It should be
> what meets your needs. All I can say is that it_appears_ to me that
> the present complexity doesn't serve a purpose I think you value,
> and doesn't justify the many extra lookups imposed.
You are quite right in the redundancy to prevent me from breakage due to
making a future change and forgetting to update something.
However, I don't think it requires extra lookups by an SPF processor
since my read of it is that first match is a pass or fail:
> Qualifiers tell the receiving mail server whether to consider a
> message authenticated when there's a match with a mechanism value
> Hope that helps.
It does - a *lot*!
Thank you so much, I'm definitely going to rewrite my TXT SPF record(s)!
More information about the Discuss
mailing list