Hi Scott, Sorry if I'm being blond, but that didn't answer my question. I am trying to figure out where to point the finger and I don't understand enough of what you posted for me to understand if this is my problem as the mail admin or the vic mail admin? I don't have a function to just whitelist the uni, so if people think that tinyspf is not working correctly then I'll just stop using it. Sorry that my initial question was not very clear. D On 10/09/2012 12:52 p.m., Scott Howard wrote:

On Sun, Sep 9, 2012 at 5:44 PM, Don Gould mailto:don(a)bowenvale.co.nz> wrote:

2. Should I be doing something to change my config or do others feel that the vuw spf record is to wide?

From http://tools.ietf.org/html/rfc4408#section-10.1 :

/ SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated. /

Scott

-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699

On 10 September 2012 13:09, Tim Price wrote:

· include:mailprimer.com

o include:mailprimer.net.nz

§ include:mailprimer.co.nz

§ include:mailprimer.com

· include:mailprimer.net.nz (loop?)

Just a quick note to point out that you've misread 2 MX entries as includes in the SPF for mailprimer.net.nz. The SPF record is: "v=spf1 ip4:66.29.197.150/28 ip4:209.162.176.182/27 ip4:203.79.78.253/32 ip4:203.97.202.158/32 ip4:123.100.96.0/27 ip4:204.14.234.0/25 ip4:10.226.68.0/29 mx:mailprimer.co.nz mx:mailprimer.com ~all" On a related note, check the SPF for microsoft.com at http://www.kitterman.com/spf/validate.html - they're broken in the same way at the moment. Cheers, Mark

On Mon, 10 Sep 2012, Don Gould wrote:

Hello to the mail team at the uni! :)

They weren't aware that their spf was broken.

Thanks to the on and off list help guys.

I don't think there is anyone from ITS on this list, so glad you got hold of someone. Ick that spf record is ugly. Of course due to their split DNS if you try to look at that from within the University you get % host -t txt vuw.ac.nz vuw.ac.nz descriptive text "" I'll note that the include:mcs.vuw.ac.nz has been "wrong" for the last 3.5 years and should be include:ecs.vuw.ac.nz but, in fact, the one place in the world I would expect to never see @vuw.ac.nz addresses being sent from is ecs.vuw.ac.nz - as we do sender rewriting. cheers mark