[BCLUG] Interesting email about domain expiring - SPF vs SPAM question

Fri Aug 19 06:21:18 EDT 2022

Rick Moen wrote on 2022-08-18 19:06:

> Am inferring "this domain" = bclug.ca .

Correct.

>> Looking further, the SPF/TXT records for the domain all end with 
>> "~all".
> 
> Checking.
> 
> :r! dig -t txt bclug.ca +short "v=spf1 +a +mx +a:lists.bclug.ca 
> +ip4:199.212.143.222 +a:69.172.190.161  -all"
> 
> Late thought:  Presumably this is after you changed ~ to -.

Correct again.

> Let's get to the syntax problems in
> 
> "v=spf1 +a +mx +a:lists.bclug.ca +ip4:199.212.143.222 
> +a:69.172.190.161 -all"  :
> 
> First problem:  The syntax of each and every object in there is 
> wrong, because there's not supposed to be a "+" on any of them. Field
> guide to syntax (one of many): 
> https://support.google.com/a/answer/10683907

That link has a chart of "optional qualifiers" that lists the "+-~?"
characters; I assume they're allowed (optionally) for explicitness?

Google (link above) states about "mechanisms" (v,ip4,a,mx,...):

> You can use optional SPF record qualifiers with mechanisms.

> Second problem:  Aside from the +, the "a:lists.bclug.ca" is valid 
> syntax (will become valid once you remove the +).  But, seems to me,
>  "a:lists.bclug.ca" is redundant to "ip4:199.212.143.222" -- because
>  that's where the a record resolves to.

Yes, I initially used both because I wasn't sure they'd continue to
resolve to the same address.

> :r! dig -t a lists.bclug.ca +short 199.212.143.222
> 
> So, I'd say, lose "a:lists.bclug.ca", because all you're doing is 
> making SMTP servers do pointless additional DNS lookups, just to 
> process your SPF declarations.

Not a bad idea, but I think that a "pass" ends the SPF processing (from
the Google link you provided):

> Mechanisms are checked in the order they occur in the SPF record. If 
> a mechanism doesn’t have a qualifier and there’s a match, the default
> action is pass authentication.

> Third problem:  "a" (which you wrote as "+a") is redundant to 
> "ip4:199.212.143.222":
> 
> :r! dig -t a bclug.ca +short 69.172.190.161
> 
> So, I'd say, lost "a", too.

That one definitely needs changing, because it's an incorrect use of
"a", should be "ip4".

Somehow I (incorrectly) thought that a "mechanism" of "a" meant
"the sender has a DNS A record", instead of the correct "Authorize mail
servers by domain name".

That's a pretty big mistake.

But, I'll keep it as an "ip4" so my home-based server can send
occasional emails.

> It's not entirely clear to me why you declare the same IP twice as 
> both higher-priority and lower-priority MX.

Good catch.  Again, wasn't initially sure they'd be hosted on same
server. Half expected to relocate to another VPS.

> Important:  There might be reasons why you want to add something 
> else, e.g., adding "a" or "mx" might be justifiable in the sense of 
> making your SPF declarations remain accurate if you changed your MX 
> DNS records but forgot to change the IPs in the SPF RR.  Only you
> can decide how complex you_need_  your SPF RR to be.  It should be
> what meets your needs.  All I can say is that it_appears_  to me that
> the present complexity doesn't serve a purpose I think you value,
> and doesn't justify the many extra lookups imposed.

You are quite right in the redundancy to prevent me from breakage due to
making a future change and forgetting to update something.

However, I don't think it requires extra lookups by an SPF processor
since my read of it is that first match is a pass or fail:

> Qualifiers tell the receiving mail server whether to consider a 
> message authenticated when there's a match with a mechanism value

> Hope that helps.

It does - a *lot*!

Thank you so much, I'm definitely going to rewrite my TXT SPF record(s)!