Another ambiguous SPF Rule confuses admin |
Post Reply 
|
| Author | |
pcmatt 
Senior Member 
Joined: 15 February 2005 Location: United States Status: Offline Points: 116 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Another ambiguous SPF Rule confuses adminPosted: 18 September 2006 at 10:16pm |
|
Thought it was a bug in SpamFilter but really a bug in SPF documentation. Identifiers are not really clear in some cases. Example: TXT Record - "v=spf1 a -all" the identifyer above "a" does not refer to all host records as it reads literally in the SPF docs, but only refers to the host record for the domain itself. This was originally mis identified as a bug in SpamFilter.
Edited by pcmatt |
|
|
-Matt R
|
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4105 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 8:34am |
|
Matt,
Actually SpamFilter's behavior is correct. You can verify this directly from the official openspf site: http://www.openspf.org/why.html?sender=joe%40125percent.com& amp;ip=65.166.65.106&formwasused=1&debug=0 The email should indeed be rejected when originating from 65.166.65.106. The nslookup results for an "A" search in fact only show the results for the .108: > set type=a > 125percent.com Server: ns1.netwide.net Address: 209.26.140.2 Non-authoritative answer: Name: 125percent.com Address: 65.166.65.108 > |
|
|
|
|
pcmatt
Senior Member
Joined: 15 February 2005 Location: United States Status: Offline Points: 116 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 8:57am |
I would use their test if it was not wrong too. We should have a program that is correct, not modeled after an incorrect example.The a mechanism clearly documents that when only the a specifier is used ALL the A records for domain are tested. If the client IP is found among them, this mechanism matches. -MJR The
|
|
|
-Matt R
|
|
|
|
|
mikek
Senior Member
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 9:29am |
|
that's the A entries for <domain>, not <host.domain>...
if you have two A records for 125percent.com, they will be checked, but not any host A records. your dns zone probably looks something like this (here you see the problem, there is no way to list the host A records since the domain was - correctly - set up to deny listing records): 125percent.com A 65.166.65.108 mail.125percent.com A 65.166.65.108 smtp.125percent.com A 65.166.65.106 if you would add 125percent.com A 65.166.65.106 the second address would be output by an nslookup 125percent.com and therefore checked by the SPF A mechanism as well. Edited by mikek |
|
|
|
|
pcmatt
Senior Member
Joined: 15 February 2005 Location: United States Status: Offline Points: 116 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 10:50am |
|
Roberto, You are correct. The documentation on SPF is unclear and has succesfully confused domain admins and myself. |
|
|
-Matt R
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4105 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 11:54am |
|
Don't worry Matt... remember all the times when WE were confused with SPF and had it wrong and YOU pointed us in the right direction
 ?
Edited by LogSat |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.227 seconds.