Re: [mailop] Blocking emails from domains without SPF records

2016-08-19 Thread Dave Crocker 



An SPF pass is a reasonably strong signal that the mail did come from
the purported source.  An SPF fail doesn't tell you much.



The basic rule is that without any established track record, any 
'directive' from a sender, about how a receiver should handle received 
mail, is strongly like to have significant false positives.


Hence, processing with a heightened level of concern makes sense, while 
blindly following the directive does not.


d/

--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-19 Thread John Levine 
In article <27d11417-6cdf-62cf-3d97-7a4e5581b...@blakjak.net> you write:
>Perhaps i've missed something, but isn't the whole point of SPF that if 
>a _sender domain_ publishes a -all SPF record, that any platform using 
>SPF is _supposed to reject email that doesn't pass_ ?

Ten years ago there were people who believed that.  I'm dismayed to
see people still saying that today.

SPF tells you where the sender asserts that its mail will come from.
That's fine as far as it goes, but most senders do not actually
understand mail very well, and their assertions are wrong.  There is a
school of thought along the lines of "tough noogies, if their SPF
tells you to drop legit mail that's their problem", but that's a good
way to make your mail users find a provider who's less wedged.

An SPF pass is a reasonably strong signal that the mail did come from
the purported source.  An SPF fail doesn't tell you much.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Franck Martin via mailop 
I think we were talking here about rejecting emails from a domain that do
not have a SPF policy, which is a bit different from rejecting emails from
a domain with a SPF policy "-all" and a fail result.

For IPv6, bad stuff happens to non authenticated emails , as the archive on
this list is chowing. Look for stuff like "X is sending all my email to the
spam folder (because I just enabled IPv6 on my mail server)".

Also it is a M3AAWG recommendation that all emails on IPv6 must be
authenticated and the receivers to act accordingly (short crude summary).
https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf

On Wed, Aug 17, 2016 at 3:06 PM, Michelle Sullivan 
wrote:

> Mark Foster wrote:
>
>>
>> By 'configured to do so', does Michelle mean , well, obeying SPF?
>>
>> Yes I mean if the receiving server is both checking SPF and enforcing the
> policy configured ;-) (sorry I did a really bad job of being clear :) )
>
>
> --
> Michelle Sullivan
> http://www.mhix.org/
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Michelle Sullivan 

Mark Foster wrote:


By 'configured to do so', does Michelle mean , well, obeying SPF?

Yes I mean if the receiving server is both checking SPF and enforcing 
the policy configured ;-) (sorry I did a really bad job of being clear :) )


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Michelle Sullivan 

Steve Atkins wrote:
Anyone who is sending mail over IPv6 has touched the network recently 
enough that they don't have that excuse, and it's not unreasonable to 
hold them to a slightly higher standard.


100% with you on that... but you know the way it is... the more people 
start using ipv6 the less experienced people will try and get on... and 
they won't bother learning, just as they didn't when Microsoft first 
brought out Exchange and every man and his dog were able to deploy their 
very own open-relay server... ;-)


(At least most products nowadays actually for the most part deploy in a 
secure fashion.)


Regards,

Michelle

--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Steve Atkins 

> On Aug 17, 2016, at 2:38 PM, Michelle Sullivan  wrote:
> 
> Franck Martin wrote:
>> I don't think you should block however:
> 
> I'm not making any call either way - it's upto the admins involved. 
> Personally I have a valid SPF record my milter I wrote and build from scratch 
> the other week uses libspf2 to make determinations on whether to accept or 
> reject email based on the pass/soft fail/hard fail, it makes no 
> differentiation between 'has a SPF record' and 'does not have a SPF record'.
>> 
>> -IPv4 rate limit if the email is not authenticated (pass SPF or DKIM)
>> -IPv6 reject email if it is not authenticated (pass SPF or DKIM)
> 
> Personally I wouldn't treat them differently, but that my personal opinion.

There is a fairly good reason to - and I say this as someone whose 
non-SPF-authenticated IPv6 email has been blocked solely by LinkedIn, not by 
anyone else - and that's deployment dates. The main reason to accept 
non-authenticated mail is that it's likely coming from legacy systems that 
haven't been maintained or updated in decades, and which may not be able to 
deploy DKIM (or SPF, come to that).

Anyone who is sending mail over IPv6 has touched the network recently enough 
that they don't have that excuse, and it's not unreasonable to hold them to a 
slightly higher standard.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Mark Foster 
Perhaps i've missed something, but isn't the whole point of SPF that if 
a _sender domain_ publishes a -all SPF record, that any platform using 
SPF is _supposed to reject email that doesn't pass_ ?


Forwarded email is going to cause an SPF failure, unless the 
envelope-sender is rewritten (ala mailing lists and such).  By 
'configured to do so', does Michelle mean , well, obeying SPF? Referring 
to the table at http://www.openspf.org/SPF_Record_Syntax the presence of 
a -all has a pretty clear requirement.


Publishing 'a' SPF record is not the same as publishing a 'Fail' record. 
Domains can publish an SPF record with any of the other conditions, the 
outcomes are clearly indicated.


Lack of an SPF record is, slowly, going to make life more and more 
difficult for those trying to send email; the existence of even a +all 
record suggest that at least the DNS Admin knows what SPF _is_.


But down-scoring email without an SPF record, or perhaps email with an 
SPF failure but not -all, seems like a valid approach, as long as it's 
only a contributing factor to a cumulative approach, and not treated as 
a hard-switch.


IMHO.
Mark.


On 18/08/2016 9:07 a.m., Franck Martin via mailop wrote:

I don't think you should block however:

-IPv4 rate limit if the email is not authenticated (pass SPF or DKIM)
-IPv6 reject email if it is not authenticated (pass SPF or DKIM)

On Wed, Aug 17, 2016 at 12:23 PM, Michelle Sullivan 
> wrote:


Brandon Long via mailop wrote:

If your mail server doesn't expect to get forwarded mail, I
can see using SPF like that.

If you do expect to get forwarded mail, then it seems likely
to cause more false positives than it's worth.


I don't see that...  Renaud just quoted
https://www.iplocation.net/email-delivery-problems
 "Many mail
servers refuse to accept emails from an IP address without SPF
record" not that the SPF record should be restrictive when it
comes to forwarded mail remembering the SPF is just to
identify the places where a domains email may originate and
whether the set policy is to be enforced or just used for
information.  SPF doesn't stop forwarded email unless configured
to do so... and not forgetting we're talking about where you're
sending to, not about you receiving in this context.  Ie I may
choose not to accept email from domains without SPF, if google.com
 doesn't have an SPF record it would just stop
you sending to me, if you put in a +all or ?all record into
google.com 's DNS I would accept your email...

Regards,

-- 
Michelle Sullivan

http://www.mhix.org/



___
mailop mailing list
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Michelle Sullivan 

Franck Martin wrote:

I don't think you should block however:


I'm not making any call either way - it's upto the admins involved. 
Personally I have a valid SPF record my milter I wrote and build from 
scratch the other week uses libspf2 to make determinations on whether to 
accept or reject email based on the pass/soft fail/hard fail, it makes 
no differentiation between 'has a SPF record' and 'does not have a SPF 
record'.


-IPv4 rate limit if the email is not authenticated (pass SPF or DKIM)
-IPv6 reject email if it is not authenticated (pass SPF or DKIM)


Personally I wouldn't treat them differently, but that my personal opinion.

Regards,

Michelle



On Wed, Aug 17, 2016 at 12:23 PM, Michelle Sullivan 
> wrote:


Brandon Long via mailop wrote:

If your mail server doesn't expect to get forwarded mail, I
can see using SPF like that.

If you do expect to get forwarded mail, then it seems likely
to cause more false positives than it's worth.


I don't see that...  Renaud just quoted
https://www.iplocation.net/email-delivery-problems
 "Many mail
servers refuse to accept emails from an IP address without SPF
record" not that the SPF record should be restrictive when it
comes to forwarded mail remembering the SPF is just to
identify the places where a domains email may originate and
whether the set policy is to be enforced or just used for
information.  SPF doesn't stop forwarded email unless configured
to do so... and not forgetting we're talking about where you're
sending to, not about you receiving in this context.  Ie I may
choose not to accept email from domains without SPF, if google.com
 doesn't have an SPF record it would just stop
you sending to me, if you put in a +all or ?all record into
google.com 's DNS I would accept your email...

Regards,

-- 
Michelle Sullivan

http://www.mhix.org/



___
mailop mailing list
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop






--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Franck Martin via mailop 
I don't think you should block however:

-IPv4 rate limit if the email is not authenticated (pass SPF or DKIM)
-IPv6 reject email if it is not authenticated (pass SPF or DKIM)

On Wed, Aug 17, 2016 at 12:23 PM, Michelle Sullivan 
wrote:

> Brandon Long via mailop wrote:
>
>> If your mail server doesn't expect to get forwarded mail, I can see using
>> SPF like that.
>>
>> If you do expect to get forwarded mail, then it seems likely to cause
>> more false positives than it's worth.
>>
>>
> I don't see that...  Renaud just quoted https://www.iplocation.net/ema
> il-delivery-problems "Many mail servers refuse to accept emails from an
> IP address without SPF record" not that the SPF record should be
> restrictive when it comes to forwarded mail remembering the SPF is just
> to identify the places where a domains email may originate and whether the
> set policy is to be enforced or just used for information.  SPF doesn't
> stop forwarded email unless configured to do so... and not forgetting we're
> talking about where you're sending to, not about you receiving in this
> context.  Ie I may choose not to accept email from domains without SPF, if
> google.com doesn't have an SPF record it would just stop you sending to
> me, if you put in a +all or ?all record into google.com's DNS I would
> accept your email...
>
> Regards,
>
> --
> Michelle Sullivan
> http://www.mhix.org/
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Michelle Sullivan 

Brandon Long via mailop wrote:
If your mail server doesn't expect to get forwarded mail, I can see 
using SPF like that.


If you do expect to get forwarded mail, then it seems likely to cause 
more false positives than it's worth.




I don't see that...  Renaud just quoted 
https://www.iplocation.net/email-delivery-problems "Many mail servers 
refuse to accept emails from an IP address without SPF record" not that 
the SPF record should be restrictive when it comes to forwarded mail 
remembering the SPF is just to identify the places where a domains email 
may originate and whether the set policy is to be enforced or just used 
for information.  SPF doesn't stop forwarded email unless configured to 
do so... and not forgetting we're talking about where you're sending to, 
not about you receiving in this context.  Ie I may choose not to accept 
email from domains without SPF, if google.com doesn't have an SPF record 
it would just stop you sending to me, if you put in a +all or ?all 
record into google.com's DNS I would accept your email...


Regards,

--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Brandon Long via mailop 
If your mail server doesn't expect to get forwarded mail, I can see using
SPF like that.

If you do expect to get forwarded mail, then it seems likely to cause more
false positives than it's worth.

Brandon

On Wed, Aug 17, 2016 at 6:41 AM, Al Iverson 
wrote:

> It's kind of a moot point. Not many sites block mail lacking SPF
> today, but the longer you send mail from a domain without an SPF
> record, the more likely you are to eventually run into woe. So your
> point is valid, but only in a pretty limited way. I'd say add the SPF
> record.
>
> Gmail doesn't say that they'll block mail lacking SPF, but they do now
> say that they will put a big ole question mark in the Gmail UI if the
> sender lacks an SPF record or DKIM authentication.
>
> Cheers,
> Al Iverson
>
> --
> Al Iverson
> www.aliverson.com
> (312)725-0130
>
>
> On Wed, Aug 17, 2016 at 5:55 AM, Renaud Allard via mailop
>  wrote:
> > Hello,
> >
> > I am following another message which suggested that btinternet.com was
> > blocking emails from domains without SPF records.
> > This website suggests this is "common practice" in point 4:
> > https://www.iplocation.net/email-delivery-problems
> >
> > Do you have this kind of policy or any evidence of this behavior being
> > common? I am just wondering about the percentage of mail servers with
> > this kind of policy being in place.
> >
> > Regards
> >
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> >
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Al Iverson 
It's kind of a moot point. Not many sites block mail lacking SPF
today, but the longer you send mail from a domain without an SPF
record, the more likely you are to eventually run into woe. So your
point is valid, but only in a pretty limited way. I'd say add the SPF
record.

Gmail doesn't say that they'll block mail lacking SPF, but they do now
say that they will put a big ole question mark in the Gmail UI if the
sender lacks an SPF record or DKIM authentication.

Cheers,
Al Iverson

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, Aug 17, 2016 at 5:55 AM, Renaud Allard via mailop
 wrote:
> Hello,
>
> I am following another message which suggested that btinternet.com was
> blocking emails from domains without SPF records.
> This website suggests this is "common practice" in point 4:
> https://www.iplocation.net/email-delivery-problems
>
> Do you have this kind of policy or any evidence of this behavior being
> common? I am just wondering about the percentage of mail servers with
> this kind of policy being in place.
>
> Regards
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Blocking emails from domains without SPF records

2016-08-17 Thread Renaud Allard via mailop 
Hello,

I am following another message which suggested that btinternet.com was
blocking emails from domains without SPF records.
This website suggests this is "common practice" in point 4:
https://www.iplocation.net/email-delivery-problems

Do you have this kind of policy or any evidence of this behavior being
common? I am just wondering about the percentage of mail servers with
this kind of policy being in place.

Regards



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop