> From: Lyle Giese <l...@lcrcomputer.net>
> attention and I tried to email the client in China and got this back:
>
> For <ro...@xxxxx.com.cn> <mailto:ro...@medtecs.com.cn>, Site
> (xxxxx.com.cn/<ipv4 address>) said: 559 sorry , your helo/ehlo and
> domain in mail are invalid, you don't connect from there. (#5.5.9)
>
> Because this started within 24 hours of when I published the DS record
I'd remove the TXT record for lcrcomputer.net and try again in 24
hours after your TTL expires. In other words, could your SPF record
be triggering the mail problem? What is the relationship between
medtecs.com.cn and xxxxx.com.cn? If your mail must be forwarded
to reach ro...@medtecs.com.cn, then your SPF record demands that
it be rejected after the first hop.
I also wonder about the "ptr" mechanism in your SPF record. RFC 4408
discourages the use of "ptr". The Received: header added by ISC
was unhappy with your reverse DNS, although it looks ok to me now:
Received: from mail3.lcrcomputer.net (unknown [IPv6:2607:fcb8:1800:7::3])
by mx.pao1.isc.org (Postfix) with ESMTP
for <bind-users@lists.isc.org>; Mon, 18 Feb 2013 22:07:46 +0000 (UTC)
(envelope-from l...@lcrcomputer.net)
Contrary to the early marketing manure followed by the years of cult
chanting, outside the narrow situations where it can be handy, SPF is
useless and ignored (~all or ?all) or harmful (-all). SPF can be
useful for authenticating bulk mail, although DKIM is better because
of SPF's problem with forwarding. (Of course, plenty of bulk mail is
not spam, such as this message after it hits the reflector. Bulk mail
is any set of practically identical messages. Spam is bulk email that
is also unsolicited.)
If you turn on DMARC to get reports about rejections by adding something
like this line to your DNS zone:
_dmarc 300 TXT "v=DMARC1; p=none; rua=mailto:x...@lcrcomputer.com;";
and send again to this mailing list, then within days or a week, the
mailbox x...@lcrcomputer.com should get reports of mail that would have
been rejected by your SPF record. If any of your correspondents forward
private mail from you to Google, Microsoft, or similar, you will also
get reports about those rejections.
I've not tried p=none, but recent experiments with
300 TXT "v=spf1 mx -all"
_dmarc 300 TXT "v=DMARC1; p=reject; rua=mailto:x...@rhyolite.com;";
generated reports of my messages being rejected because they had been
forwarded by lists.isc.org. Look at the headers for your copies of
your own messages to this mailing list and consider your SPF record.
(I use short TTLs on _dmarc and SPF RRs to remove them quickly.)
See http://www.dmarc.org/ about DMARC, but read it with marketing-speak
filters set to high. For example, "DMARC Protects 60 Percent of Global
Consumer Mailboxes" makes sense only for a narrow meaning of "protect"
after you notice the absence of _dmarc records for Google, Yahoo, and
Microsoft.
See also http://www.dmarc.org/about.html Some of the "receivers" on
that page probably send more mail than some of the "senders," so those
two words must have special meanings. DMARC is evidently intended to let
"(bulk mail) senders" such as American Greetings, BoA, etc. monitor
and control their DKIM and SPF authenticators and check inbox placement
rates at "(bulk mail) receivers" such as AOL, Comcast, etc.
DMARC is also unintentionally great for showing the old "use SPF to
protect yourself from spammers" to be the marketing nonsense and cult
nonsense for in most cases that it has always been.
Vernon Schryver v...@rhyolite.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
