Yes, it does. Message come in from your mail client and is whitelisted by SMTP AUTH. Now your server sends it to the destination. Receiving server sees the message coming from your server, and that your server is a valid sender for the domain in question according to your SPF policy.
The last hop seen by the destination is your server, not your mail client. Your server satisfies your SPF policy, therefore the receiving server checks and records an SPF PASS. Forget about the client, as long as they send through your server, and you don't filter them out... either because they AUTH and you whitelist on AUTH, or any other way you avoid filtering your connecting users. Its all about your server sending to the destination server. This has been working for us for the past year and a half or so. Darin. ----- Original Message ----- From: "Gary Steiner" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Saturday, February 17, 2007 11:22 PM Subject: Re: [Declude.JunkMail] OT: SPF record question My question still isn't coming across. In setting up SPF, I don't want any outgoing messages from my server to be bounced by others because of a bad SPF string. I can whitelist SMTP auth on my server, but that does't help the SPF problem because potentially when one of my users sends a message to someone, say on hotmail.com, it could get bounced because of bad SPF. For example, say my SPF string for my domain is "v=spf1 mx mx:smtp.mydomain.com -all". This allows any email sent via my SmarterMail webmail to pass SPF. Now, if one of my users connects to the server with Outlook and SMTP Auth, and uses this to send an email, then the IP address that shows up in the last hop is the one he used to connect to my sever, not the IP address of my server. So the email message he sends would fail SPF. For it to pass, I would have to change my SPF string to "v=spf1 mx mx:smtp.mydomain.com ip4:67.189.34.6 -all", and additionally add a ip4: entry for every instance that a user might connect to my server with Outlook . So does this mean that SPF is impractical for anyone not strictly using webmail? To me it implies that to cover all bases you would have to have in your SPF string "?all" and there would be no way to make it stricter than that, other than to force all your users to use webmail and not Outlook. Gary -------- Original Message -------- > From: "Darin Cox" <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2007 4:33 PM > To: [email protected] > Subject: Re: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > Whitelisting SMTP Auth is the key here. Since you connect with a userID/PW > to your mail server, Whitelisting connections done through SMTP AUTH > bypasses Declude filtering. > > Darin. > > > ----- Original Message ----- > From: "Gary Steiner" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Friday, February 16, 2007 4:10 PM > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > Let me give you my case. For this example I used my home Comcast connection > to send an email using Outlook and authentication. My server uses Declude > and SmarterMail. The header of the received message shows one IP address in > a single Received line: > > Received: from c-67-189-34-6.hsd1.or.comcast.net [67.189.34.6] by > mail.plusultraweb.com with SMTP; > Fri, 16 Feb 2007 15:43:21 -0500 > > Michael's message via Declude's mailing list had three Received lines: > > Received: from smtp.declude.com [63.246.31.248] by mail.plusultraweb.com > with SMTP; > Fri, 16 Feb 2007 15:46:48 -0500 > Received: from mail.mathbox.com [63.150.236.14] by smtp.declude.com with > SMTP; > Fri, 16 Feb 2007 15:31:18 -0500 > Received: from mikesplace [63.150.236.3] by mail.mathbox.com with ESMTP > (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 > > In both messages Declude made checks versus the last hop only (67.189.34.6 > in my test message and 63.246.31.248 in the message from Declude's mailing > list. > > Since my Comcast IP address is not listed in my SPF string, it failed > Declude's SPF test. > > So what is the problem here? Is this a flaw in how SmarterMail lists its > hops? Should it be showing the Comcast IP address as the final hop, or > should it be showing my mail server? > > Since it is showing the Comcast address, SPF fails. The only way to get > around this is to end the SPF string with "?all", but if I'm going to do > that, I might as well not use SPF at all. > > Gary > > > -------- Original Message -------- > > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > > Sent: Friday, February 16, 2007 3:47 PM > > To: [email protected] > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > Gary, > > > > Your logic is incorrect. SPF is a check made by the destination mail > server > > (possibly my mail server) against the sending mail server (your mail > > server). Your users authenticate to your mail server, then submit a > message > > to your mail server for delivery by your mail server to the remote mail > > server. So, the remote mail server (possibly my mail server) would check > the > > SPF to determine if your mail server was listed as a source for the domain > > of the sending email address. > > > > Michael Thomas > > Mathbox > > 978-683-6718 > > 1-877-MATHBOX (Toll Free) > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Gary Steiner > > > Sent: Friday, February 16, 2007 2:56 PM > > > To: [email protected] > > > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > > > I have a question to follow this subject. If users have > > > Outlook and they are sending email fromm home or whereever > > > using authentication, then the IP that shows up in the header > > > will be their home connection. That being the case, unless > > > your users are strictly using webmail, your SPF record should > > > show no enforcement otherwise all the non-webmail messages > > > will get blocked. To me this indicates that SPF doesn't help > > > you if your users are not using webmail. Is this correct? > > > > > > Gary > > > > > > > > > > > > -------- Original Message -------- > > > > From: "Darin Cox" <[EMAIL PROTECTED]> > > > > Sent: Wednesday, February 07, 2007 4:33 PM > > > > To: [email protected] > > > > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > > > > > > If your MX and A records are also in the 216.15.92.0/25 > > > network, then you > > > > don't need to specify the "a" and "mx" parameters, so you > > > could simplify to > > > > > > > > No enforcement, other hosts may send mail for the domain > > > > "v=spf1 ip4:216.15.92.0/25 ?all" > > > > > > > > Soft fail if policy violated. Filters may or may not block > > > on soft fail. > > > > "v=spf1 ip4:216.15.92.0/25 ~all" > > > > > > > > > > > > Hard fail if policy violated. Filters should block on hard fail. > > > > "v=spf1 ip4:216.15.92.0/25 -all" > > > > > > > > However, if you send from an MX or A record (web server) > > > that is not in the > > > > 216.15.92.0/25 subnet then you may need those. > > > > > > > > If you use a soft or hard fail policy, it's very important > > > that you identify > > > > _all_ sources of outbound mail for the domain, including > > > all mail servers, > > > > marketing mail engines, webservers, external hosts, etc. > > > Otherwise you're > > > > liable to have mail blocked as a result of your policy. > > > I've see this > > > > happen with a number of larger organizations, where they > > > have forgotten web > > > > servers with form-to-mail functions, marketing personnel sending out > > > > newsletters, or mobile users using ISP SMTP servers. > > > > > > > > Regarding your last three records, do you have subdomains > > > with MX records > > > > for direct.commarts.com, mail.commarts.com, and > > > smtp.commarts.com? I.e. do > > > > you receive mail to @direct.commarts.com, @mail.commarts.com, and > > > > @smtp.commarts.com addresses? If not, you don't need those records. > > > > > > > > Hope this helps, > > > > > > > > Darin. > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Michael Hoyt" <[EMAIL PROTECTED]> > > > > To: "Declude JunkMail @declude.com" <[email protected]> > > > > Sent: Wednesday, February 07, 2007 2:30 PM > > > > Subject: [Declude.JunkMail] OT: SPF record question > > > > > > > > > > > > Sorry for the re-posting but I forgot to add a Subject. > > > > > > > > I am finally getting my SPF records up but would like some > > > comments on > > > > whether I got it right. > > > > > > > > I would like to be able to send email from any IP address in my > > > > 216.15.92.0/25 network. Currently I have MX records for > > > mail.commarts.com > > > > (216.15.92.3) which is the only mail server that receives mail and > > > > direct.commarts.com (216.15.92.15) and smtp.commarts.com > > > (216.15.92.13). > > > > > > > > Using the Wizard at openspf.org I generated the following > > > SPF records: > > > > > > > > commarts.com. IN TXT "v=spf1 ip4:216.15.92.0/25 a mx ~all" > > > > direct.commarts.com. IN TXT "v=spf1 a -all" > > > > mail.commarts.com. IN TXT "v=spf1 a -all" > > > > smtp.commarts.com. IN TXT "v=spf1 a -all" > > > > > > > > After reading page 15 of the Whitepaper pertaining to the > > > ~all,-all or ?all > > > > part of the text in the first record my question is: If I > > > know that ALL > > > > email from my domain will originate from 216.15.92.0/25 > > > should the text be > > > > -all and not ~all? > > > > > > > > And my last question is are the three txt records > > > mentioning my MX servers > > > > necessary if I have 216.15.92.0/25 in the first record? > > > > > > > > Thank you in advance for any insight. > > > > > > > > -- > > > > Michael Hoyt > > > > > > > > > > > > Web Site: http://www.commarts.com > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
