Hi Don, Don't suppose you pinged an email to postmaster(a)vuw.ac.nz or perhaps tried one of the avenues listed at their 'contact us' page yet? http://www.victoria.ac.nz/home/contact Whilst there's a fair chance someone from the right dept is here, it'd seem appropriate to try to contact VUW directly, especially now that Scott and Tim have done the hard yards for you. ;-) [1] There's absolutely no reason why you shouldn't use SPF, and adhere to it, as long as you're prepared to deal with the odd occasion where the configurations that people have in place simply 'don't work'. For example, I hope none of the people on your MTA accept mail via forwarding rules. (I seem to see people who act in breach of their own published SPF rules from time to time, I don't see this problem going away in a hurry to be honest - but it does have a good, useful effect for those who use it properly.) Cheers Mark. [1] you may need to whitelist or temporarily disable SPF to exchange emails with them. Your call. On 10/09/12 13:11, Don Gould wrote:

Ok, cool. thanks Tim, that answers where to point the finger now.

Tim do you mind sharing how you tested that? What tool did you use?

Is there a vwu admin on list who would like to comment? Can you fix your spf record so it doesn't cause more than 10 recursive look ups or should I just not bother with spf?

D

On 10/09/2012 1:07 p.m., Tim Price wrote:

...

The recursive lookups in that SFP record come to 14 according to my checking.

vuw.ac.nz IN TXT v=spf1 ip4:130.195.81.0/24 ip4:130.195.86.0/24 ip4:202.36.141.0/24 ip4:216.235.196.0/22 ip4:216.235.200.0/21 include:mcs.vuw.ac.nz include:mailprimer.com include:_spf.learningsourceapp.com include:spf.messaging.microsoft.com ~all

· include:mcs.vuw.ac.nz

o mx

· include:mailprimer.com

o include:mailprimer.net.nz

§ include:mailprimer.co.nz

§ include:mailprimer.com

· include:mailprimer.net.nz (loop?)

· include:_spf.learningsourceapp.com

o include:sendgrid.net

§ include:sendgrid.biz

· include:spf.messaging.microsoft.com

o include:spfa.frontbridge.com

o include:spfb.frontbridge.com

o include:spfc.frontbridge.com

*From:*nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] *On Behalf Of *Scott Howard *Sent:* Monday, September 10, 2012 12:52 PM *To:* Don Gould *Cc:* nznog *Subject:* Re: [nznog] Vic Uni Mail Admin about? SPF rec issue...

On Sun, Sep 9, 2012 at 5:44 PM, Don Gould mailto:don(a)bowenvale.co.nz> wrote:

2. Should I be doing something to change my config or do others feel that the vuw spf record is to wide?

From http://tools.ietf.org/html/rfc4408#section-10.1 :

/ SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated. /

Scott

-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog