Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Mailman-Users] SPF best practices?
3 views
Skip to first unread message
Dennis Carr
Aug 23, 2015, 3:29:21 PM8/23/15
to
On Mon, 24 Aug 2015 00:13:14 +0900
"Stephen J. Turnbull" <ste...@xemacs.org> wrote:
> That does mean that anybody who can send through smtp.comcast.net can
> send as a mailbox from your domain and pass DMARC, most likely. I
> don't see a way to profitably exploit that offhand, though (unless
> you're a bank).
This means, then, that I should probably remove it from the SPF record
- at its current configuration, the ~all should at least softfail while
I work on getting Postfix set up for TLS.
-Dennis Carr
"Stephen J. Turnbull" <ste...@xemacs.org> wrote:
> That does mean that anybody who can send through smtp.comcast.net can
> send as a mailbox from your domain and pass DMARC, most likely. I
> don't see a way to profitably exploit that offhand, though (unless
> you're a bank).
This means, then, that I should probably remove it from the SPF record
- at its current configuration, the ~all should at least softfail while
I work on getting Postfix set up for TLS.
-Dennis Carr
Dennis Carr
Aug 23, 2015, 3:30:16 PM8/23/15
to
On Sun, 23 Aug 2015 11:27:57 -0700
Mark Sapiro <ma...@msapiro.net> wrote:
> You can never know if any of your intended recipient addresses pass
> through such a relay, thus my opinion is if you're concerned about
> your mail being delivered, you can't use SPF -all.
To that end, then, my lists by default tend to be set to
reply-to-list, and they don't munge the sender (From:) address. So a
sample header set from FFML from a recent admin post:
-----
Return-Path: <ffml-bounces
+dennisthetiger=chez-vr...@chez-vrolet.net>
X-Original-To:dennist...@chez-vrolet.net
From: Dennis Carr
<dennist...@chez-vrolet.net>
To: ff...@chez-vrolet.net
X-BeenThere:ff...@chez-vrolet.net
Reply-To: The Fanfiction Mailing List<ff...@chez-vrolet.net>
List-Id: The Fanfiction Mailing List<ffml.chez-vrolet.net>
Errors-To: ffml-bounces+dennisthetiger=chez-vr...@chez-vrolet.net
Sender: "ffml"<ffml-bounces
+dennisthetiger=chez-vr...@chez-vrolet.net>
-----
Sorry about the line breaks - Sylpheed is set to 72 characters and
really, really wants to word-wrap. =/
In short, +all and -all are foregone (both bad ideas for their own
reasons), and with the above post it all goes out (because a: is me),
but with 300+ users on Yahoo and MSFT domains, am I better off setting
'~all' or '?all'?
Note, DKIM is pending at this point - I'll be reading up on it in my
Copious Free Time(TM). =) (Bad news is that I won't have much time
between now and Labor Day weekend, as I'm preparing for a vacation in
Portland OR. Good news is that, for now, everything seems to be going
well - but the only list traffic that's flown out since fixing the
record is that which I've sent, so I can't confirm that this will
work correctly quite yet.)
-Dennis Carr
Mark Sapiro <ma...@msapiro.net> wrote:
> You can never know if any of your intended recipient addresses pass
> through such a relay, thus my opinion is if you're concerned about
> your mail being delivered, you can't use SPF -all.
To that end, then, my lists by default tend to be set to
reply-to-list, and they don't munge the sender (From:) address. So a
sample header set from FFML from a recent admin post:
-----
Return-Path: <ffml-bounces
+dennisthetiger=chez-vr...@chez-vrolet.net>
X-Original-To:dennist...@chez-vrolet.net
From: Dennis Carr
<dennist...@chez-vrolet.net>
To: ff...@chez-vrolet.net
X-BeenThere:ff...@chez-vrolet.net
Reply-To: The Fanfiction Mailing List<ff...@chez-vrolet.net>
List-Id: The Fanfiction Mailing List<ffml.chez-vrolet.net>
Errors-To: ffml-bounces+dennisthetiger=chez-vr...@chez-vrolet.net
Sender: "ffml"<ffml-bounces
+dennisthetiger=chez-vr...@chez-vrolet.net>
-----
Sorry about the line breaks - Sylpheed is set to 72 characters and
really, really wants to word-wrap. =/
In short, +all and -all are foregone (both bad ideas for their own
reasons), and with the above post it all goes out (because a: is me),
but with 300+ users on Yahoo and MSFT domains, am I better off setting
'~all' or '?all'?
Note, DKIM is pending at this point - I'll be reading up on it in my
Copious Free Time(TM). =) (Bad news is that I won't have much time
between now and Labor Day weekend, as I'm preparing for a vacation in
Portland OR. Good news is that, for now, everything seems to be going
well - but the only list traffic that's flown out since fixing the
record is that which I've sent, so I can't confirm that this will
work correctly quite yet.)
-Dennis Carr
0 new messages