>>RFC 5782 states:Thats for DNSBL/DNSWL, where its easy to tell the firewall
that, don't touch any response packets from dnswl.org and then it don't
matter.>>RFC 7208 states:Yes that applies to the SPF client. A firewall between
the SPF client and server cant know the packet is meant for a RFC 7208
client.>>Presumably, a mail server should not consult a DNS hacked for
browsers?Presumably, a firewall located between LAN and WAN has no way to know
if the UDP packet is for a SPF client or browser. It sees a DNS response packet
coming from a server on the WAN side that is not in the firewall's list of
servers permitted to bypass DNS Rebinding orotection, finds a private IP in the
response, and throws the UDP packet in the
dustbin.>>~exists:%{ir}.list.dnswl.org -allWould work for me, I handle both -
and ~ as reject.Otherwise stupid to control SPF using antispam mechanisms as I,
and propably many other, use SPF as a genuinity mechanism - if a mail from my
internet bank has a good SPF, I know I can trust it and act on it.Best regards,
Sebastian Nielsen
-------- Originalmeddelande --------Från: Alessandro Vesely via mailop
<mailop@mailop.org> Datum: 2025-06-17 13:53 (GMT+01:00) Till:
mailop@mailop.org Ämne: Re: [mailop] iphmx.com - who owns that server (SPF
fault) On Tue 17/Jun/2025 10:10:47 +0200 sebastian wrote:> > The thing is that
iphmx.com seems to be a MaaS infrastructure who tells clients > to use exists:
as SPF records.> > Like: exists:%{i}.spf.hc2347-76.eu.ipmx.com> > One example:>
> 23.90.102.86.spf.hc2437-76.eu.iphmx.com> > The problem is that these resolve
to a private IP (172.0.0.2) which causes SPF > failures due to DNS rebinding
protection. Returning private IP addresses for > external use is a big
no-no.Why? RFC 5782 states: The contents of the A
record MUST NOT be used as an IP address. The A record contents
conventionally have the value 127.0.0.2, but MAY have other values [...]>
Works well for DNSBLs because in those situations its easy to configure a >
exception for the DNSBL server. Not so easy to configure an exception for all >
SPFes.Why? RFC 7208 states: exists = "exists" ":" domain-spec
The <domain-spec> is expanded as per Section 7. The resulting domain name
is used for a DNS A RR lookup (even when the connection type is IPv6). If
any A record is returned, this mechanism matches.Presumably, a mail server
should not consult a DNS hacked for browsers?> Recommended DNS configuration
change:> Have the A record return its own IP:> >
23.90.102.86.spf.hc2437-76.eu.iphmx.com IN A 23.90.102.86That might work for
the custom settings of iphmx. However, SPF records can also point to public
DNSWLs, which is an effective filtering method. For example:
~exists:%{ir}.list.dnswl.org -allThis is stricter than ~all, yet allows most
forwarding.BestAle-- _______________________________________________mailop
mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
