Darin, I am not sure why, but Gary seems to think SPF checks are run against ALL of the received headers.
I am guessing that he has an SPF test action at the end of his Global.cfg, so that it is testing outgoing? Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Darin Cox > Sent: Saturday, February 17, 2007 11:37 PM > To: [email protected] > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > Yes, it does. Message come in from your mail client and is > whitelisted by > SMTP AUTH. Now your server sends it to the destination. > Receiving server > sees the message coming from your server, and that your > server is a valid > sender for the domain in question according to your SPF policy. > > The last hop seen by the destination is your server, not your > mail client. > Your server satisfies your SPF policy, therefore the > receiving server checks > and records an SPF PASS. > > Forget about the client, as long as they send through your > server, and you > don't filter them out... either because they AUTH and you > whitelist on AUTH, > or any other way you avoid filtering your connecting users. > Its all about > your server sending to the destination server. > > This has been working for us for the past year and a half or so. > > Darin. > > > ----- Original Message ----- > From: "Gary Steiner" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Saturday, February 17, 2007 11:22 PM > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > My question still isn't coming across. In setting up SPF, I > don't want any > outgoing messages from my server to be bounced by others > because of a bad > SPF string. I can whitelist SMTP auth on my server, but that > does't help > the SPF problem because potentially when one of my users > sends a message to > someone, say on hotmail.com, it could get bounced because of bad SPF. > > For example, say my SPF string for my domain is "v=spf1 mx > mx:smtp.mydomain.com -all". This allows any email sent via > my SmarterMail > webmail to pass SPF. Now, if one of my users connects to the > server with > Outlook and SMTP Auth, and uses this to send an email, then > the IP address > that shows up in the last hop is the one he used to connect > to my sever, not > the IP address of my server. So the email message he sends > would fail SPF. > For it to pass, I would have to change my SPF string to "v=spf1 mx > mx:smtp.mydomain.com ip4:67.189.34.6 -all", and additionally > add a ip4: > entry for every instance that a user might connect to my > server with Outlook > . > > So does this mean that SPF is impractical for anyone not > strictly using > webmail? To me it implies that to cover all bases you would > have to have in > your SPF string "?all" and there would be no way to make it > stricter than > that, other than to force all your users to use webmail and > not Outlook. > > Gary > > > > -------- Original Message -------- > > From: "Darin Cox" <[EMAIL PROTECTED]> > > Sent: Friday, February 16, 2007 4:33 PM > > To: [email protected] > > Subject: Re: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > record question > > > > Whitelisting SMTP Auth is the key here. Since you connect with a > userID/PW > > to your mail server, Whitelisting connections done through SMTP AUTH > > bypasses Declude filtering. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Friday, February 16, 2007 4:10 PM > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > record question > > > > > > Let me give you my case. For this example I used my home Comcast > connection > > to send an email using Outlook and authentication. My > server uses Declude > > and SmarterMail. The header of the received message shows > one IP address > in > > a single Received line: > > > > Received: from c-67-189-34-6.hsd1.or.comcast.net [67.189.34.6] by > > mail.plusultraweb.com with SMTP; > > Fri, 16 Feb 2007 15:43:21 -0500 > > > > Michael's message via Declude's mailing list had three > Received lines: > > > > Received: from smtp.declude.com [63.246.31.248] by > mail.plusultraweb.com > > with SMTP; > > Fri, 16 Feb 2007 15:46:48 -0500 > > Received: from mail.mathbox.com [63.150.236.14] by > smtp.declude.com with > > SMTP; > > Fri, 16 Feb 2007 15:31:18 -0500 > > Received: from mikesplace [63.150.236.3] by > mail.mathbox.com with ESMTP > > (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 > > > > In both messages Declude made checks versus the last hop > only (67.189.34.6 > > in my test message and 63.246.31.248 in the message from > Declude's mailing > > list. > > > > Since my Comcast IP address is not listed in my SPF string, > it failed > > Declude's SPF test. > > > > So what is the problem here? Is this a flaw in how > SmarterMail lists its > > hops? Should it be showing the Comcast IP address as the > final hop, or > > should it be showing my mail server? > > > > Since it is showing the Comcast address, SPF fails. The > only way to get > > around this is to end the SPF string with "?all", but if > I'm going to do > > that, I might as well not use SPF at all. > > > > Gary > > > > > > -------- Original Message -------- > > > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > > > Sent: Friday, February 16, 2007 3:47 PM > > > To: [email protected] > > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > record question > > > > > > Gary, > > > > > > Your logic is incorrect. SPF is a check made by the > destination mail > > server > > > (possibly my mail server) against the sending mail server > (your mail > > > server). Your users authenticate to your mail server, > then submit a > > message > > > to your mail server for delivery by your mail server to > the remote mail > > > server. So, the remote mail server (possibly my mail > server) would check > > the > > > SPF to determine if your mail server was listed as a > source for the > domain > > > of the sending email address. > > > > > > Michael Thomas > > > Mathbox > > > 978-683-6718 > > > 1-877-MATHBOX (Toll Free) > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > > Behalf Of Gary Steiner > > > > Sent: Friday, February 16, 2007 2:56 PM > > > > To: [email protected] > > > > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > record question > > > > > > > > I have a question to follow this subject. If users have > > > > Outlook and they are sending email fromm home or whereever > > > > using authentication, then the IP that shows up in the header > > > > will be their home connection. That being the case, unless > > > > your users are strictly using webmail, your SPF record should > > > > show no enforcement otherwise all the non-webmail messages > > > > will get blocked. To me this indicates that SPF doesn't help > > > > you if your users are not using webmail. Is this correct? > > > > > > > > Gary > > > > > > > > > > > > > > > > -------- Original Message -------- > > > > > From: "Darin Cox" <[EMAIL PROTECTED]> > > > > > Sent: Wednesday, February 07, 2007 4:33 PM > > > > > To: [email protected] > > > > > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > > > > > > > > If your MX and A records are also in the 216.15.92.0/25 > > > > network, then you > > > > > don't need to specify the "a" and "mx" parameters, so you > > > > could simplify to > > > > > > > > > > No enforcement, other hosts may send mail for the domain > > > > > "v=spf1 ip4:216.15.92.0/25 ?all" > > > > > > > > > > Soft fail if policy violated. Filters may or may not block > > > > on soft fail. > > > > > "v=spf1 ip4:216.15.92.0/25 ~all" > > > > > > > > > > > > > > > Hard fail if policy violated. Filters should block > on hard fail. > > > > > "v=spf1 ip4:216.15.92.0/25 -all" > > > > > > > > > > However, if you send from an MX or A record (web server) > > > > that is not in the > > > > > 216.15.92.0/25 subnet then you may need those. > > > > > > > > > > If you use a soft or hard fail policy, it's very important > > > > that you identify > > > > > _all_ sources of outbound mail for the domain, including > > > > all mail servers, > > > > > marketing mail engines, webservers, external hosts, etc. > > > > Otherwise you're > > > > > liable to have mail blocked as a result of your policy. > > > > I've see this > > > > > happen with a number of larger organizations, where they > > > > have forgotten web > > > > > servers with form-to-mail functions, marketing > personnel sending out > > > > > newsletters, or mobile users using ISP SMTP servers. > > > > > > > > > > Regarding your last three records, do you have subdomains > > > > with MX records > > > > > for direct.commarts.com, mail.commarts.com, and > > > > smtp.commarts.com? I.e. do > > > > > you receive mail to @direct.commarts.com, > @mail.commarts.com, and > > > > > @smtp.commarts.com addresses? If not, you don't need > those records. > > > > > > > > > > Hope this helps, > > > > > > > > > > Darin. > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Michael Hoyt" <[EMAIL PROTECTED]> > > > > > To: "Declude JunkMail @declude.com" > <[email protected]> > > > > > Sent: Wednesday, February 07, 2007 2:30 PM > > > > > Subject: [Declude.JunkMail] OT: SPF record question > > > > > > > > > > > > > > > Sorry for the re-posting but I forgot to add a Subject. > > > > > > > > > > I am finally getting my SPF records up but would like some > > > > comments on > > > > > whether I got it right. > > > > > > > > > > I would like to be able to send email from any IP > address in my > > > > > 216.15.92.0/25 network. Currently I have MX records for > > > > mail.commarts.com > > > > > (216.15.92.3) which is the only mail server that > receives mail and > > > > > direct.commarts.com (216.15.92.15) and smtp.commarts.com > > > > (216.15.92.13). > > > > > > > > > > Using the Wizard at openspf.org I generated the following > > > > SPF records: > > > > > > > > > > commarts.com. IN TXT "v=spf1 ip4:216.15.92.0/25 a mx ~all" > > > > > direct.commarts.com. IN TXT "v=spf1 a -all" > > > > > mail.commarts.com. IN TXT "v=spf1 a -all" > > > > > smtp.commarts.com. IN TXT "v=spf1 a -all" > > > > > > > > > > After reading page 15 of the Whitepaper pertaining to the > > > > ~all,-all or ?all > > > > > part of the text in the first record my question is: If I > > > > know that ALL > > > > > email from my domain will originate from 216.15.92.0/25 > > > > should the text be > > > > > -all and not ~all? > > > > > > > > > > And my last question is are the three txt records > > > > mentioning my MX servers > > > > > necessary if I have 216.15.92.0/25 in the first record? > > > > > > > > > > Thank you in advance for any insight. > > > > > > > > > > -- > > > > > Michael Hoyt > > > > > > > > > > > > > > > Web Site: http://www.commarts.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.JunkMail". The archives > can be found > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.JunkMail". The archives > can be found > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
