Gary, I guess, I should have asked this earlier, but you mentioned authenticated users, which is the other side of the coin. Are you testing SPF for outgoing mail? If so, why? Is it possible to send email from your mail server without authenticating? If none of that was pertinent, continue on....
========================== At your mail server, in those three received headers from my message, the only valid SPF check is on the following header: Received: from smtp.declude.com [63.246.31.248] by mail.plusultraweb.com with SMTP; Fri, 16 Feb 2007 15:46:48 -0500 Note that at this point, the email is from [email protected] and the sending server is smtp.declude.com. The above header was added by your mail server. The SPF check on your mail server should be "Does the declude.com SPF indicate that mail from declude.com (in this case [email protected]) can be sent by smtp.declude.com". As regards SPF, checking any deeper in the received lines makes no sense and is an invalid test. Why? Because at this point, the email is from [email protected] and I doubt very much if the declude.com SPF record has mail.mathbox.com as a valid SMTP source for mail from declude.com. ========================== The previous header entry (time and motion wise) was the received header for the transmission of the message from my mail server to the declude mail server: Received: from mail.mathbox.com [63.150.236.14] by smtp.declude.com with SMTP; Fri, 16 Feb 2007 15:31:18 -0500 The declude mail server should have performed a SPF check for mail from [EMAIL PROTECTED] being sent from mail.mathbox.com. =========================== If for example, you had an SMTP proxy or a gateway in front of your mail server, then all of the above logic starts to break down. For those situations, you could use IPBYPASS and I suppose HOP. You chose a very good example. List mail is a perfectly good example of why you cannot run SPF against the entire chain of received headers. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gary Steiner > Sent: Friday, February 16, 2007 4:10 PM > To: [email protected] > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > Let me give you my case. For this example I used my home > Comcast connection to send an email using Outlook and > authentication. My server uses Declude and SmarterMail. The > header of the received message shows one IP address in a > single Received line: > > Received: from c-67-189-34-6.hsd1.or.comcast.net > [67.189.34.6] by mail.plusultraweb.com with SMTP; > Fri, 16 Feb 2007 15:43:21 -0500 > > Michael's message via Declude's mailing list had three Received lines: > > Received: from smtp.declude.com [63.246.31.248] by > mail.plusultraweb.com with SMTP; > Fri, 16 Feb 2007 15:46:48 -0500 > Received: from mail.mathbox.com [63.150.236.14] by > smtp.declude.com with SMTP; > Fri, 16 Feb 2007 15:31:18 -0500 > Received: from mikesplace [63.150.236.3] by mail.mathbox.com > with ESMTP > (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 > > In both messages Declude made checks versus the last hop only > (67.189.34.6 in my test message and 63.246.31.248 in the > message from Declude's mailing list. > > Since my Comcast IP address is not listed in my SPF string, > it failed Declude's SPF test. > > So what is the problem here? Is this a flaw in how > SmarterMail lists its hops? Should it be showing the Comcast > IP address as the final hop, or should it be showing my mail server? > > Since it is showing the Comcast address, SPF fails. The only > way to get around this is to end the SPF string with "?all", > but if I'm going to do that, I might as well not use SPF at all. > > Gary > > > -------- Original Message -------- > > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > > Sent: Friday, February 16, 2007 3:47 PM > > To: [email protected] > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > record question > > > > Gary, > > > > Your logic is incorrect. SPF is a check made by the > destination mail server > > (possibly my mail server) against the sending mail server (your mail > > server). Your users authenticate to your mail server, then > submit a message > > to your mail server for delivery by your mail server to the > remote mail > > server. So, the remote mail server (possibly my mail > server) would check the > > SPF to determine if your mail server was listed as a source > for the domain > > of the sending email address. > > > > Michael Thomas > > Mathbox > > 978-683-6718 > > 1-877-MATHBOX (Toll Free) > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Gary Steiner > > > Sent: Friday, February 16, 2007 2:56 PM > > > To: [email protected] > > > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > > > I have a question to follow this subject. If users have > > > Outlook and they are sending email fromm home or whereever > > > using authentication, then the IP that shows up in the header > > > will be their home connection. That being the case, unless > > > your users are strictly using webmail, your SPF record should > > > show no enforcement otherwise all the non-webmail messages > > > will get blocked. To me this indicates that SPF doesn't help > > > you if your users are not using webmail. Is this correct? > > > > > > Gary > > > > > > > > > > > > -------- Original Message -------- > > > > From: "Darin Cox" <[EMAIL PROTECTED]> > > > > Sent: Wednesday, February 07, 2007 4:33 PM > > > > To: [email protected] > > > > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > > > > > > If your MX and A records are also in the 216.15.92.0/25 > > > network, then you > > > > don't need to specify the "a" and "mx" parameters, so you > > > could simplify to > > > > > > > > No enforcement, other hosts may send mail for the domain > > > > "v=spf1 ip4:216.15.92.0/25 ?all" > > > > > > > > Soft fail if policy violated. Filters may or may not block > > > on soft fail. > > > > "v=spf1 ip4:216.15.92.0/25 ~all" > > > > > > > > > > > > Hard fail if policy violated. Filters should block on > hard fail. > > > > "v=spf1 ip4:216.15.92.0/25 -all" > > > > > > > > However, if you send from an MX or A record (web server) > > > that is not in the > > > > 216.15.92.0/25 subnet then you may need those. > > > > > > > > If you use a soft or hard fail policy, it's very important > > > that you identify > > > > _all_ sources of outbound mail for the domain, including > > > all mail servers, > > > > marketing mail engines, webservers, external hosts, etc. > > > Otherwise you're > > > > liable to have mail blocked as a result of your policy. > > > I've see this > > > > happen with a number of larger organizations, where they > > > have forgotten web > > > > servers with form-to-mail functions, marketing > personnel sending out > > > > newsletters, or mobile users using ISP SMTP servers. > > > > > > > > Regarding your last three records, do you have subdomains > > > with MX records > > > > for direct.commarts.com, mail.commarts.com, and > > > smtp.commarts.com? I.e. do > > > > you receive mail to @direct.commarts.com, > @mail.commarts.com, and > > > > @smtp.commarts.com addresses? If not, you don't need > those records. > > > > > > > > Hope this helps, > > > > > > > > Darin. > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Michael Hoyt" <[EMAIL PROTECTED]> > > > > To: "Declude JunkMail @declude.com" > <[email protected]> > > > > Sent: Wednesday, February 07, 2007 2:30 PM > > > > Subject: [Declude.JunkMail] OT: SPF record question > > > > > > > > > > > > Sorry for the re-posting but I forgot to add a Subject. > > > > > > > > I am finally getting my SPF records up but would like some > > > comments on > > > > whether I got it right. > > > > > > > > I would like to be able to send email from any IP address in my > > > > 216.15.92.0/25 network. Currently I have MX records for > > > mail.commarts.com > > > > (216.15.92.3) which is the only mail server that > receives mail and > > > > direct.commarts.com (216.15.92.15) and smtp.commarts.com > > > (216.15.92.13). > > > > > > > > Using the Wizard at openspf.org I generated the following > > > SPF records: > > > > > > > > commarts.com. IN TXT "v=spf1 ip4:216.15.92.0/25 a mx ~all" > > > > direct.commarts.com. IN TXT "v=spf1 a -all" > > > > mail.commarts.com. IN TXT "v=spf1 a -all" > > > > smtp.commarts.com. IN TXT "v=spf1 a -all" > > > > > > > > After reading page 15 of the Whitepaper pertaining to the > > > ~all,-all or ?all > > > > part of the text in the first record my question is: If I > > > know that ALL > > > > email from my domain will originate from 216.15.92.0/25 > > > should the text be > > > > -all and not ~all? > > > > > > > > And my last question is are the three txt records > > > mentioning my MX servers > > > > necessary if I have 216.15.92.0/25 in the first record? > > > > > > > > Thank you in advance for any insight. > > > > > > > > -- > > > > Michael Hoyt > > > > > > > > > > > > Web Site: http://www.commarts.com > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
