2 Jun 21:29
Newbie-esque SPF deployment questions
From: Jeremy Chadwick <spf <at> jdc.parodius.com>
Subject: Newbie-esque SPF deployment questions
Newsgroups: gmane.mail.spam.spf.help
Date: 2005-06-02 19:33:06 GMT
Subject: Newbie-esque SPF deployment questions
Newsgroups: gmane.mail.spam.spf.help
Date: 2005-06-02 19:33:06 GMT
Greetings.
I've deployed SPF DNS records for our domains, but one of our users
today informed me of something somewhat bizarre which I still can't
seem to make sense of.
Basically, our outgoing setup (mail from user <at> parodius.com to
someplace <at> somedomain.com) is as follows:
Client MUA --> mx1.parodius.com:587 --> mx1.parodius.com:* --> someplace <at> somedomain.com
{sendmail} {sendmail}
And for incoming mail (mail destined to user <at> parodius.com):
Internet host --> mx1.parodius.com:25 --> procmail (MTA) --> SpamAssassin + SPF --> Local mailbox
{sendmail}
Important to note: sendmail is bound to mx1.parodius.com (64.62.145.229),
which is an IP alias on the same physical machine as the A record you
see for the actual domain itself (parodius.com). All SMTP traffic
(incoming and outgoing) is done over 64.62.145.229; and yes, I am 100%
sure of this. I just wanted to make that crystal clear. 
The SPF records I deployed were the following:
parodius.com. IN A 64.62.145.226
parodius.com. IN MX 10 mx1.parodius.com.
parodius.com. IN TXT "v=spf1 mx ~all"
mx1.parodius.com. IN A 64.62.145.229
mx1.parodius.com. IN TXT "v=spf1 a -all"
Users of our service must use our mail server (mx1.parodius.com) to
send mail from their user <at> parodius.com addresses. I chose ~all for
our domain since there are probably a few stragglers who still use
their own local ISPs mail servers to send their mail, so I wanted
something in-between lenient and strict.
So, question 1: are these SPF records correct for what we want? I
realise this is quite an ignorant question for a UNIX administrator
to ask, but the documentation of SPF is -- despite what others may
claim -- quite rhetorical and confusing.
Question 2: Do I really need the SPF record for mx1.parodius.com?
Now onto the actual problem one of our users found today:
The user, who's located in Canada, mails numerous friends of his (similar
to a mailing list) by placing their addresses in the Bcc: field. He uses
username <at> parodius.com as his From: -- and also in the To: field (yes,
he gets a copy of the mail himself). Bcc is used so that the users
don't know of other peoples' Email addresses, in the case that one of
them gets a virus/zombie and starts spamming all the addresses it can
find, yadda yadda... you know the routine.
However, since doing this, his own Emails are getting marked with a +0.5
in SpamAssassin score due to SPF lookups claiming SOFTFAIL:
>> pts rule name description
>> ---- ---------------------- --------------------------------------------------
>> 0.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
>> [SPF failed: Please see http://spf.pobox.com/why.html?sender=username%40parodius.com&ip=65.95.32.147&receiver=pentarou.parodius.com]
This confuses me greatly, as pentarou.parodius.com == 64.62.145.226,
which has nothing to do with our SMTP setup.
Can someone shed some light on what all is going on here, why this is
breaking, and what can be done to fix it properly?
Thanks.
--
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. |
RSS Feed