:: Re: [DNG] Excessive bounces
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] Excessive bounces
Quoting Simon Hobson (linux@???):

> SPF breaks mailing lists and mail forwarders - and this is NOT (IMO)
> fixable without introducing a wide open front gate for spammers to
> ride through and completely bypass SPF.


No. it does not break mailing lists. It _does_ break other common types
of forwarders unless they adopt SRS-wrapping.

The reason it does not adversely affect mailing lists is that SPF
validates only the envelope header: The receving MTA verifies that the
delivering MTA's IP address is mentioned in the claimed sending domain's
SPF RR (if there is one in that domain's DNS).

Consider the envelope header of your own Dng posting, as received by
linuxmafia.com's MTA when it received my subscription's copy. Here's
the way your post arrived:

From dng-bounces@??? Thu Aug 03 05: 8:39 2017
Return-path: <dng-bounces@???>
Envelope-to: rick@???

So, the envelope sender's domain was dyne.org, not thehobsons.co.uk, and
my receiving MTA will perform a DNS check against the former.

:r! dig -t txt dyne.org +short

"google-site-verification=6FghqJroXIvBY8cutq6ouO0RC-a8qynFu6sJR3S-IbA"
"v=spf1 mx ip4:178.62.188.7/32 ip4:188.226.191.63/32 ip4:213.127.180.241/32 -all"
"google-site-verification=2XoWrMMTQ7jmgcB_76Y_TQSnWDGhR4e-y_KLqoKOK1Q"


:r! dig lists.dyne.org +short
178.62.188.7

And, lo! The envelope sender does validate.

You are probably confusing mailing lists, which provide new envelope
headers during forwarding citing the forwarding domain, with other
forwarders like /etc/alias entries and ~/.forward files. It's the
_latter_ that SPF author Meng Wong invented that goofy Sender Rewriting
System. Mailing lists, by contrast, don't have the problem he invented
that kludge to fix.


And, again, Simon, my mail domain linuxmafia.com has had an SPF hardfail
directive in its DNS since around 2003, and the specifier is extremely
narrow:

:r! dig -t txt linuxmafia.com +short
"v=spf1 a mx -all"

That says 'If a mail's envelope header claims it's from linuxmafia.com,
but the delivering MTA doesn't match either linuxmafia.com's DNS A
record or its MX record, please consider it definitively a forgery.'
I'm on _many_ mailing lists on many hosts. If my mailing list mail had
a deliverability problem caused by hardfailing forgeries of my envelope
header, I'd have figured that out, some time over hte past 14 years. It
does not happen, because mailing lists work better than /etc/alias
entries and ~/.forward files by design.