[BALUG-Admin] BALUG & SPF

Rick Moen rick@linuxmafia.com
Fri Aug 18 06:47:28 PDT 2017


Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Well, much of the migration criteria has been "not worse than".
> https://www.wiki.balug.org/wiki/doku.php?id=balug:mail_and_lists
> ... much to be improved, but fair bit of that will come later.
> First of all, for the lists, the sending domain is temp.balug.org, not
> balug.org.

I see no reason why you couldn't declare an SPF RR for a subdomain.
I've just never to date had a need to do so, on my systems.

If you need to say 'trust the A host, the MX host, and this list of
additional IPs', that can be done trivially, too.  From memory, you 
include something like 'ipv4:66.33.216.72'.

Frankly, I'd not bother declaring specific SPF RRs for subdomains. 
KISS.  Have a single txt record for the domain, and just put everything
in it that is necessary to include all SMTP senders you wish to
authorise, including both mailing list locations.

It's really not difficult.

> Will probably add the SPF & TXT records to lists.balug.org.
> once that gets moved over.

No, for the love of ghod, no.

First of all, nobody uses the dedicated SPF RR.  Everyone uses TXT.
The dedicated RR was a nonstarter.

Second, you don't need friggin' multiple records.  Just the one.  And
there's no conceivable reason not to do it now.

I mean, why delay?  Are you saying we don't know what the authorised
sending SMTP hosts are (the ones we want to declare authorised) for
domain balug.org?  Is it a mystery?  (Note:  Hypothetical Dreamhost
changes are addressed below.)  Is there some presently unknown MTA in
the South Seas that we wish to be able to believably forge balug.org as
a sending domain going forward?

No?  Then we should have an SPF RR for the domain.  Now. 

Add one line to the zonefile, roll the S/N, reload the zone, done.

> Also, for a lot of such stuff, before it's moved over, trying to
> "fix"/improve is about double (or more) work, as it has to be done
> in two places.  

> And since I can't control all of what DreamHost.com
> does, making some changes there also risks possibly causing severe
> breakage.

No, it doesn't.  If you're worried about Dreamhost suddenly and in the
near futher moving where its authorised SMTP sender is for
lists.balug.org to a new IP, you can use the SPF RR "include" directive
to incorporate _their_ SPF RR by reference.

   include:dreamhost.com

http://www.openspf.org/SPF_Record_Syntax

And yes, I did check to verify that they have such an RR.

:r! dig -t txt dreamhost.com +short
"MS=ms82701515"
"v=spf1 ip4:62.229.62.0/24 ip4:69.64.144.0/20 ip4:98.124.192.0/18 ip4:66.33.206.0/24 ip4:66.33.195.34 ip4:208.113.189.254 ip4:208.113.200.0/24 ip4:66.33.216.0/24 ip4:208.97.187.128/25 ip4:64.90.62.0/24 ip4:64.90.63.0/25 ip4:64.90.63.128/26 include:_spf.goo" "gle.com include:relay.mailchannels.net include:sendgrid.net ~ALL"


Notice that they use include options so they can authorise several
external senders whose DNS and IP assignments are not under their
control.

C'mon, Michael.  Sheesh.  ;->





More information about the BALUG-Admin mailing list