> On Apr 30, 2016, at 10:30 AM, <frnk...@iname.com> <frnk...@iname.com> wrote: > > Steve, > > Thanks for your feedback. > > Seems that the Word to Wise SPF checking tool skips "2607:fe28:0:4000::20" > when I check sigiowa.com.
Yes. It doesn't just display the fields from the record, it tries to merge all the addresses into a minimal set of CIDR blocks, so that one will be included in the 607:fe28:0:4000::/64 block. (I should probably make the SPF minimizer there do the same thing). Cheers, Steve > > Frank > > -----Original Message----- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Steve Atkins > Sent: Friday, April 29, 2016 12:18 PM > To: mailop <mailop@mailop.org> > Subject: Re: [mailop] SPF check overly stringent? > > >> On Apr 29, 2016, at 9:52 AM, Frank Bulk <frnk...@iname.com> wrote: >> >> We're helping a customer (sigiowa.com) who's having issues sending emails to >> the USDA. Our email server logs this: >> Site usda.gov (2a01:111:f400:7c10::10) said after data sent: 450 >> 4.7.26 Service does not accept messages sent over IPv6 >> [2607:fe28:0:4000::20] unless they pass either SPF or DKIM validation >> (message not signed) >> >> Just this morning I changed their SPF record from this: >> "v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64 >> ip6:2607:fe28:0:4000::/64 ~all" >> to this: >> "v=spf1 ip4:96.31.0.0/24 ip6:2607:fe28:0:4000::20 >> ip6:2607:fe28:0:1000::/64 ip6:2607:fe28:0:4000::/64 ~all" >> >> I added in ip6:2607:fe28:0:4000::20 because I'm wondering if the USDA's >> system doesn't properly identify the sending IP of 2607:fe28:0:4000::20 as >> part of 2607:fe28:0:4000::/64. I also removed 'mx' because this tool >> (http://vamsoft.com/support/tools/spf-policy-tester) was failing on pulling >> the AAAA for each of the domain's four MX records. Try the vamsoft site >> with 2607:fe28:0:4000::20 and to see how sigiowa.com >> used to fail. > > http://tools.wordtothewise.com/spf/check/premieronline.net > > ... looks fine to me. > >> >> Is Vamsoft's check too stringent? > > More like "broken" - but I can see how RFC 7208 might make them think it's > correct behaviour if they didn't think about real-world use of DNS. > >> Does it seriously matter that it can't >> find the AAAA for the domain's four MX records? Shouldn't an SPF check for >> the domain's MX records just look for an A or AAAA? > > Cheers, > Steve > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
