On 2015-08-07 07:34, wbr...@e1b.org wrote: > From: "Lawrence K. Chen, P.Eng." <lkc...@ksu.edu> > >> OTOH, we have caved on adding systems that aren't 'ours'...though how much >> of >> Office365 is actually 'ours'....but I think we currently have a couple >> includes for mass emailing solutions or our survey system (normally we push >> for them to use a subomain, our old in-house survey system was on its own >> subdomain, which the new one can use, but its more flexible on what users >> can >> use....it then comes down to whether there's a SPF rule in their way or not. > > SPF has nothing to dow with who owns the servers. It states who is allowed to > send email on behalf of the domain. If you are using O365 for your mail, you > add their SPF records. If you use a mail service provider for your marketing > emails, be sure to add them. Just make sure you don't exceed the limits on > how many DNS queries are required to fully resolved the SPF record. I'm > starting to see more records overloaded with includes, MX, and other types > that require further queries. > > We now return you to our regularly scheduled program.
But, the point of 'ours' is trusting that system is only generating mail as us that we expect it to generate. Generally we expect servers we operate to be trustworthy (which has somewhat improved now that our general SMTP server is usable from, say, guest wireless. Before we moved to Office365, our email provider had configured that our outgoing mail was processed to come out from one of two pools. One pool for spam/virus check good mail from our exclusive use, and the everything else pool that is shared with with all the other tenants. With no guarantee that another tenant's account get hijacked and starts send forged emails with our domain.... So, when we were with this provider, our SPF had exclusive pool as good, but included the other pool prefixed with '~'..... Meanwhile, Office365 claims to employ a similar system where there are pools used only for send tested good emails, and other pools that they send everything else through and if IPs get blocked they don't care.... where we have one include:spf...., which in turn has another include:spfa...., which in turn has another include:spfb.... for over 50,000 IPs + a ip6:/48....to be all trusted. Then there's the include that survey company provides, which just contains a single include for who actually send their mails? Which seems strange familiar...also noticed that they're using Dyn for NS. Probably because it seems to be a subset of what mass marketing mailer has in their chain of spf includes.... And, we include:outbound.mailhop.org for people that go abroad and want to get around places that block port 25, which is like everywhere now.... though the number of alternatives has probably reduced the need for this. Though I still have my mailhop account, even though its now DuoCircle that owns it. But, still have one domain with Dyn, Along with some dyndns names.... Like for my ec2 instances --a dyndns domain so I can find them easier, and they use mailhop to send me alerts.... But, given how Office365 operates, its unlikely that rogue tenant would be able to impersonate us.... and ... we can't speak for anybody else, but I trusted Dyn with email for many years now, trying to recall when I got the account....think it was sometime after I stopped using PocketMail.... - Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- & SafeZone Ally
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users