Re: [nznog] Xtra and SPF

This represents a gross failure on Xtra's part in failing to separate 2 distinctly different scenarios. SPF is intended to regulate outbound relaying, where the relay acts as an agent of the sender. It has nothing to say about inbound relaying, where the relay is an agent of the recipient. SPF enforcement should not the touch inbound relays. A reasonable implementation would allow recipients to designate their own inbound relays, either by host, or by reference to the SPF record of the primary domain of the relay. Having said all that, what has changed recently is not SPF enforcement on the envelope sender, but DKIM enforcement on the From: header. The former has no effect on mailing lists which have been rewriting envelope sender (and Sender: header) for many years; but the latter has become a big problem just recently for mail going to Xtra. -Martin On 21 Feb. 2017 13:55, "Jodi Thomson" wrote:

...

From the RFC https://tools.ietf.org/html/rfc7208

'The "include" mechanism makes it possible for one domain to designate multiple administratively independent domains. For example, a vanity domain "example.net" might send mail using the servers of administratively independent domains example.com and example.org.

Example.net could say

IN TXT "v=spf1 include:example.com include:example.org -all"

This would direct check_host() to, in effect, check the records of example.com and example.org for a "pass" result. Only if the host were not permitted for either of those domains would the result be "fail".

Whether this mechanism matches, does not match, or returns an exception depends on the result of the recursive evaluation of check_host():'

So it's possible that the 'hard fail' in the aspmx.sailthru.com SPF is causing the bounce

Cheers Jodi

----- Original Message ----- From: "Jean-Francois Pirus" To: "Paul Willard" , nznog(a)list.waikato.ac.nz Sent: Tuesday, February 21, 2017 3:02:15 PM Subject: Re: [nznog] Xtra and SPF

Here's an example of an Xtra bounces which looks like soft fail but which includes a hard fail.

So I'm assuming that a hard fail anywhere takes precedence, does anybody know the rules, I could not find any references.

sailthru.com. 10800 IN TXT "v=spf1 include: aspmx.sailthru.com include:_spf.google.com include:_netblocks.zdsys.com ~all"

aspmx.sailthru.com. 900 IN TXT "v=spf1 ip4: 64.34.47.128/27 ip4:64.34.57.192/26 ip4:65.39.215.0/24 ip4:192.64.236.0/24 ip4:192.64.237.0/24 ip4:173.228.155.0/24 ip4:192.64.238.0/24 ip4:204.153.121.0/24 -all"

_netblocks.zdsys.com. 54000 IN TXT "v=spf1 ip4: 192.161.144.0/20 ip4:185.12.80.0/22 ip4:96.46.150.192/27 ip4:174.137.46.0/24 ip4:188.172.128.0/20 ip4:216.198.0.0/18 ~all"

_spf.google.com. 55 IN TXT "v=spf1 include:_ netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

On 21/02/17 14:17, Paul Willard wrote:

...

I'm getting mail bouncing with ~all spf record soft fail .. and xtra (actually smx) are rejecting.

Could be that they don't like me :)

On Wed, Feb 8, 2017 at 3:57 PM, Brian E Carpenter mailto:brian.e.carpenter(a)gmail.com> wrote:

On 08/02/2017 15:34, Mark Foster wrote: ... > Someone mentioned mailing lists; decent ones rewrite the envelope and > don't break SPF.

Or rather, are not broken by SPF. Unfortunately, the same is not true of DMARC. There's still no good solution for lists or forwarders that are broken by DMARC. Glen, I fear that DMARC problems are in your future.

Brian

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog