[Mailman-Users] SPF best practices?

Stephen J. Turnbull stephen at xemacs.org
Sun Aug 23 17:13:14 CEST 2015

Dennis Carr writes:

 > The a:smtp.comcast.net is necessary so I can send email remotely
 > through my ISP and clear out successfully. 

That does mean that anybody who can send through smtp.comcast.net can
send as a mailbox from your domain and pass DMARC, most likely.  I
don't see a way to profitably exploit that offhand, though (unless
you're a bank).

 > I'm a bit bothered by the '~all', however.  I really don't want to do
 > '-all' as I'm concerned that anybody who posts to the list would cause
 > anybody on Yahoo or the MSFT owned domains (hotmail, live, etc.) to
 > bounce again.

Executive summary: if you're sure you've got all your hosts covered by
the SPF record, use -all as Jim P says.

Explanation: If you've got the SPF right, you *do* know all of the
relevant hosts, and you've got them covered.  Anybody else is spoofing
your host at the transport level (*not* the From header), so deny

OTOH, your SPF has nothing to do with authentication of list posts
from other domains.  If your MTA and Mailman are configured correctly,
both HELO and MAIL FROM defined by RFC 5321 will contain one of your
domains (bast.chez-vrolet.net or chez-vrolet.net), and the last hop
will be verified as coming from your domain using your SPF.  This is
regardless of the identity in From.

If the recipient participates in DMARC, and the message is From you,
it will also pass DMARC.  (Effectively; the details are nitpicky.)

If the recipient participates in the DMARC protocol, and you resend a
post from a third party, the recipient will *also* check the SPF for
the domain in the RFC 5322 From field, and it will fail.  There is no
change you can make to your SPF record that can change this; it's the
remote domain's SPF record that matters.

This is why DMARC specifies that a valid DKIM signature by the domain
in From is also a pass.  SPF is absolutely useless except for "direct
to recipient" messages (strictly speaking, sender's MX to recipient's
MX, it might bounce around a bit inside each domain).  Of course such
direct mail is a large fraction of mail on the Internet nowadays, so
it's a very useful exception in general.

Unfortunately, public discussion mailing lists can't take advantage of
that exception.



More information about the Mailman-Users mailing list