Gary, You are correct. Message from authenticated accounts to other accounts on your server will show the originating IP as the last hop. Be assured, this is not the case with messages leaving your server bound for other locations. We've been using SPF and SmarterMail successfully for several years; in fact, it has saved our butts on several occasions.
As for Hotmail, Yahoo, AOL and the like, it's always a crap shoot anyway. We have one client that sends a weekly newsletter; one week everything runs smoothly and the next we'll get 100 messages back from Yahoo. We've given up trying to figure it out, but SPF is not the culprit. Shayne Embry -------- Original Message -------- > From: "Gary Steiner" <[EMAIL PROTECTED]> > Sent: Sunday, February 18, 2007 1:54 AM > To: [email protected] > Subject: Re: [Declude.JunkMail] OT: SPF record question > > No, I never belived that the SPF check was run against all the received > headers. I'm just looking at how Declude does its SPF check on email that > comes into my server. It always does it on the last hop. But looking at the > headers of the outgoing messages, (as I showed in my message below from > February 16, 2007 4:10 PM), the last hop is shown as the IP address of the > originating Outlook sender. This is why I am confused. Maybe this is a flaw > in SmarterMail in that it does not list itself in the headers of messages > that are internal to the server. > > I'm just not comfortable with SPF and am worried that I am shooting myself in > the foot by providing a method for other servers to block my legitimate mail. > I probably should have done more testing first, but I don't really have a > good way to specifically check for SPF validity. For example, I created a > Yahoo account and a Hotmail account. I sent email from my server to each. > Hotmail sent my message to its junkmail folder, Yahoo did not. I have no way > to know why Hotmail chose to flag the email as junk and Yahoo did not, as > neither add any spam checking messages to the header. I can see that both do > list my mail server as the last hop and not the originating Outlook computer > as the messages in my server's webmail do. > > At this point maybe I will just wait and see if any of my customers complain > about bounced mail. If I don't hear any complaints, then I (probably) don't > have anything to worry about. > > Gary > > > -------- Original Message -------- > > From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> > > Sent: Sunday, February 18, 2007 12:03 AM > > To: [email protected] > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > Darin, > > > > I am not sure why, but Gary seems to think SPF checks are run against ALL of > > the received headers. > > > > I am guessing that he has an SPF test action at the end of his Global.cfg, > > so that it is testing outgoing? > > > > Michael Thomas > > Mathbox > > 978-683-6718 > > 1-877-MATHBOX (Toll Free) > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Darin Cox > > > Sent: Saturday, February 17, 2007 11:37 PM > > > To: [email protected] > > > Subject: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF record question > > > > > > Yes, it does. Message come in from your mail client and is > > > whitelisted by > > > SMTP AUTH. Now your server sends it to the destination. > > > Receiving server > > > sees the message coming from your server, and that your > > > server is a valid > > > sender for the domain in question according to your SPF policy. > > > > > > The last hop seen by the destination is your server, not your > > > mail client. > > > Your server satisfies your SPF policy, therefore the > > > receiving server checks > > > and records an SPF PASS. > > > > > > Forget about the client, as long as they send through your > > > server, and you > > > don't filter them out... either because they AUTH and you > > > whitelist on AUTH, > > > or any other way you avoid filtering your connecting users. > > > Its all about > > > your server sending to the destination server. > > > > > > This has been working for us for the past year and a half or so. > > > > > > Darin. > > > > > > > > > ----- Original Message ----- > > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Saturday, February 17, 2007 11:22 PM > > > Subject: Re: [Declude.JunkMail] OT: SPF record question > > > > > > > > > My question still isn't coming across. In setting up SPF, I > > > don't want any > > > outgoing messages from my server to be bounced by others > > > because of a bad > > > SPF string. I can whitelist SMTP auth on my server, but that > > > does't help > > > the SPF problem because potentially when one of my users > > > sends a message to > > > someone, say on hotmail.com, it could get bounced because of bad SPF. > > > > > > For example, say my SPF string for my domain is "v=spf1 mx > > > mx:smtp.mydomain.com -all". This allows any email sent via > > > my SmarterMail > > > webmail to pass SPF. Now, if one of my users connects to the > > > server with > > > Outlook and SMTP Auth, and uses this to send an email, then > > > the IP address > > > that shows up in the last hop is the one he used to connect > > > to my sever, not > > > the IP address of my server. So the email message he sends > > > would fail SPF. > > > For it to pass, I would have to change my SPF string to "v=spf1 mx > > > mx:smtp.mydomain.com ip4:67.189.34.6 -all", and additionally > > > add a ip4: > > > entry for every instance that a user might connect to my > > > server with Outlook > > > . > > > > > > So does this mean that SPF is impractical for anyone not > > > strictly using > > > webmail? To me it implies that to cover all bases you would > > > have to have in > > > your SPF string "?all" and there would be no way to make it > > > stricter than > > > that, other than to force all your users to use webmail and > > > not Outlook. > > > > > > Gary > > > > > > > > > > > > -------- Original Message -------- > > > > From: "Darin Cox" <[EMAIL PROTECTED]> > > > > Sent: Friday, February 16, 2007 4:33 PM > > > > To: [email protected] > > > > Subject: Re: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > > > record question > > > > > > > > Whitelisting SMTP Auth is the key here. Since you connect with a > > > userID/PW > > > > to your mail server, Whitelisting connections done through SMTP AUTH > > > > bypasses Declude filtering. > > > > > > > > Darin. > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > > > To: <[email protected]> > > > > Sent: Friday, February 16, 2007 4:10 PM > > > > Subject: RE: SPAM-WARN:Re: [Declude.JunkMail] OT: SPF > > > record question > > > > > > > > > > > > Let me give you my case. For this example I used my home Comcast > > > connection > > > > to send an email using Outlook and authentication. My > > > server uses Declude > > > > and SmarterMail. The header of the received message shows > > > one IP address > > > in > > > > a single Received line: > > > > > > > > Received: from c-67-189-34-6.hsd1.or.comcast.net [67.189.34.6] by > > > > mail.plusultraweb.com with SMTP; > > > > Fri, 16 Feb 2007 15:43:21 -0500 > > > > > > > > Michael's message via Declude's mailing list had three > > > Received lines: > > > > > > > > Received: from smtp.declude.com [63.246.31.248] by > > > mail.plusultraweb.com > > > > with SMTP; > > > > Fri, 16 Feb 2007 15:46:48 -0500 > > > > Received: from mail.mathbox.com [63.150.236.14] by > > > smtp.declude.com with > > > > SMTP; > > > > Fri, 16 Feb 2007 15:31:18 -0500 > > > > Received: from mikesplace [63.150.236.3] by > > > mail.mathbox.com with ESMTP > > > > (SMTPD-8.22) id A48F027C; Fri, 16 Feb 2007 15:31:11 -0500 > > > > > > > > In both messages Declude made checks versus the last hop > > > only (67.189.34.6 > > > > in my test message and 63.246.31.248 in the message from > > > Declude's mailing > > > > list. > > > > > > > > Since my Comcast IP address is not listed in my SPF string, > > > it failed > > > > Declude's SPF test. > > > > > > > > So what is the problem here? Is this a flaw in how > > > SmarterMail lists its > > > > hops? Should it be showing the Comcast IP address as the > > > final hop, or > > > > should it be showing my mail server? > > > > > > > > Since it is showing the Comcast address, SPF fails. The > > > only way to get > > > > around this is to end the SPF string with "?all", but if > > > I'm going to do > > > > that, I might as well not use SPF at all. > > > > > > > > Gary > > > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
