Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Well, notably at present, balug.org. and temp.balug.org. are pretty dang independent and unrelated. Until balug.org. (and lists.balug.org., etc.) are ripped out from under DreamHost.com. ...
{sigh} Here, let me hand it to you on a platter. We'll do through the whole zonefile.
These would be taken care of by a single SPF 'A' directive (if they send mail, which clearly most do not):
balug.org. IN A 208.97.176.67 archive.balug.org. IN A 198.144.194.238 www.balug.org. IN A 198.144.194.238 balug-sf-lug-v1.balug.org. IN A 198.144.194.238 balug-sf-lug-v2.balug.org. IN A 198.144.194.238 balug-untangle.balug.org. IN A 64.2.3.203 balug-sf-lug-v1.console.balug.org. IN A 208.96.15.250 balug-sf-lug-v2.console.balug.org. IN A 208.96.15.250 balug-untangle.console.balug.org. IN A 64.2.3.195 sf-lug-v1.console.balug.org. IN A 208.96.15.250 sf-lug-v2.console.balug.org. IN A 208.96.15.250 untangle.console.balug.org. IN A 64.2.3.195 ftp.balug.org. IN A 208.97.176.67 lists.balug.org. IN A 66.33.216.72 mail.balug.org. IN A 208.113.200.129 mailboxes.balug.org. IN A 66.33.205.233 www.mailboxes.balug.org. IN A 66.33.205.233 mysql.balug.org. IN A 208.97.161.83 ns1.balug.org. IN A 198.144.194.238 rsvp.balug.org. IN A 198.144.194.238 secure.balug.org. IN A 198.144.194.238 www.secure.balug.org. IN A 198.144.194.238 sf-lug.balug.org. IN A 208.96.15.252 www.sf-lug.balug.org. IN A 208.96.15.252 sf-lug-v1.balug.org. IN A 208.96.15.252 sf-lug-v2.balug.org. IN A 208.96.15.252 ssh.balug.org. IN A 208.97.176.67 untangle.balug.org. IN A 64.2.3.203 vicki.balug.org. IN A 208.96.15.250 webmail.balug.org. IN A 208.97.187.139 www.webmail.balug.org. IN A 208.97.187.139 webmaster.balug.org. IN A 198.144.194.238 wiki.balug.org. IN A 198.144.194.238 www.wiki.balug.org. IN A 198.144.194.238 www.balug.org. IN A 208.97.176.67 www0.balug.org. IN A 208.97.176.67 www1.balug.org. IN A 198.144.194.238 www2.balug.org. IN A 64.2.3.203
These two can be taken care of by a single SPF 'MX' directive:
mail.balug.org. IN MX 0 mx1.sub5.homie.mail.dreamhost.com. mail.balug.org. IN MX 0 mx2.sub5.homie.mail.dreamhost.com.
These can be taken care of by a single ipv6: directive if we're concerned about that.
ns1.balug.org. IN AAAA 2001:470:1f04:19e::2 rsvp.balug.org. IN AAAA 2001:470:1f04:19e::2 secure.balug.org. IN AAAA 2001:470:1f04:19e::2 www.secure.balug.org. IN AAAA 2001:470:1f04:19e::2 webmaster.balug.org. IN AAAA 2001:470:1f04:19e::2 wiki.balug.org. IN AAAA 2001:470:1f04:19e::2 www1.balug.org. IN AAAA 2001:470:1f04:19e::2 balug-sf-lug-v1.balug.org. IN AAAA 2001:470:1f04:19e::2 balug-sf-lug-v2.balug.org. IN AAAA 2001:470:1f04:19e::2
This can be taken care of by a single include: directive.
balug-dreamhost.balug.org. CNAME charles-carroll.dreamhost.com.
So, I make that to be:
balug.org. IN TXT "v=spf1 a mx ipv6:2001:470:1f04:19e::2 include:dreamhost.com -all"
That literally takes care of _every_ existing entry in the balug.org DNS that could possibly originate mail, plus every host that Dreamhost thinks might originate mail.
And, when you and Michael Hubbard give Dreamhost the heave-ho, all the need happen whenever convenient is removing the include: directive. (No hurry about that. No real harm if it remains.)
We should do it now. It's a one-line addition to DNS, and I've just handed you that line, already made.
Yes, effectively don't - or no guarantees it won't change. DreamHost does sometimes make changes to hostnames, IP addresses, etc., and with no notice of such changes - the only way I know about such changes is they show up in DNS, etc.
That's what the include: is for.
No assurances those correlate or will continue to correlate.
If Dreamhost doesn't know where it sends SMTP from, then we have a lot bigger problems.
Does their own mail fail their own SPF and get rejected as forgeries? No, I really don't think so. Then, their SPF record is a good enough statement of what they declare their SMTP hosts to be. Which, gosh, if they cannot get that right, they would be _really_ in the wrong line of business. But they demonstrably do get it right. Hallelujah.
Ah, now that makes sense. I mean why would DreamHost trust their own hosting after all? ;->
I assume it's because Dreamhost customers find it convenient to originate Dreamhost-hosted mail from Google, relay.mailchannels.net, and sendgrid.net -- and Dreamhost helps them by insuring that such outsourced mail-sending won't get rejected as forging dreamhost.com's envelope header.
Actually, if you look closely, they _did_ fsck up the first include: directive, the one for _spf.google.com. Which fortunately doesn't adversely affect us, because we don't try to originate balug.org outbound mail from Google.