Hi All, Bear in mind that MX records are used to work out where mail should be sent to, and does not necessarily reflect where it is coming from and the SPF records are to verify that messages are coming from an authorised source. If the sending host happens to be the same as the receiving host, the "v=spf1 a mx ptr -all" record makes sense, but if they are relaying through their ISP, they'll need to add the relay hosts to that record. To me, it looks like oasystems.co.nz are relaying through gunge.hosts.net.nz (210.48.108.215) and this is not reflected in the published SPF record. For the SPF record to be valid, there needs to be an ip4:210.48.108.215 entry added. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Regan Murphy Sent: Thursday, 22 July 2010 4:04 p.m. To: Jasper Bryant-Greene; pid(a)ifm.net.nz Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] SPF Mail rejection SPF of "v=spf1 a mx ptr -all" is supposed to mean that all MX hosts for a domain are the only authorised senders of mail for that domain, correct? And the IP must match the PTR record for that host. oasystems.co.nz: witch.oasystems.co.nz is the MX 10 for oasystems.co.nz witch.oasystems.co.nz resolves to 202.180.74.56 (A) 202.180.74.56 resolves to witch.oasystems.co.nz (PTR) Where is this SPF record broken? This line from the rejection: "210.48.108.215 is not allowed to send mail from oasystems.co.nz" is saying the host grunge.hosts.net.nz is not allowed to send email on behalf of oasystems.co.nz which is correct, it's not. -- Regan -----Original Message----- From: Jasper Bryant-Greene [mailto:jasper(a)metaname.co.nz] Sent: Thursday, 22 July 2010 3:54 p.m. To: Regan Murphy Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] SPF Mail rejection On 22/07/2010, at 3:47 PM, Regan Murphy wrote:
Why is OrgA's SPF record broken?
Are you saying that OrgA needs to add SPF records to allow every ISP and Hosting company to relay email on its behalf?
No, only the hosts which send mail on OrgA's behalf. This is usually only a handful of hosts at most. In this case, it's probably just their server (if they send any mail directly), and/or their hosting company's mail server (if they use it as a so-called "smarthost"). http://en.wikipedia.org/wiki/Sender_Policy_Framework is quite comprehensive. -jasper _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog