[Gllug] Sender Policy Framework
Mike Brodbelt
mike at coruscant.demon.co.uk
Sat Mar 26 18:05:01 UTC 2005
On Sat, 2005-03-26 at 16:03 +0000, Adrian McMenamin wrote:
> I have some perl code that allows a user to send an email to a large
> number of people with the envelope address set to their own address (so
> that bounces etc are correctly routed back to the user and not to a
> mixture of the user and the admin depending on how the MUA/MTA is set up
> at the far end).
>
> For the first time this is now causing problems with SPF - mails are
> being rejected for one user who is using a gmail address (NB: this isn't
> spam of any sort).
> What is the best strategy for dealing with this? Do I just have to live
> with bounces scattering about and not forcing the envelope address, or
> is there a way to legitimately set the envelope address that SPF will
> accept?
There's no way to "legitimately set the envelope address", as SPF is
designed to block this sort of thing. However, the simple presence of an
SPF record for a domain does not necessarily block sending mail
addressed from that domain from other machines - it depends what's in
the SPF record. Google has a record set up for gmail like so:-
$ host -t txt gmail.com
gmail.com TXT "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com a:wproxy.gmail.com ?all"
The first atom is the SPF version, the remainder are "mechanisms", which
should be evaluated from left to right, and have an implicit "pass on
match". So, the receiver SPF implmentation should check if the sender is
mproxy.gmail.com, then rproxy, etc. If any of these match, the message
is "passed" and processing of the SPF record stops there. The "all" term
matches everything, so all mail from machines other than those specified
will match that, and the preceding "?" means the SPF implementation
should return "Neutral".
Now, a neutral response is supposed to mean that the domain owner has
neither explicitly permitted nor denied mail from the sender, so if
people are rejecting messages from you where you've set the envelope
sender to a gmail address, I believe they're violating the spec by doing
so.
In the longer term, if SPF becomes more widely adopted, setting
arbitrary envelope senders may become impossible. In my view this would
be a bad thing, as we'd be sacrificing important control over mail
routing. I don't personally reject mail based on SPF, and I've
deliberately chosen not to publish SPF records for any of my domains, as
I think it's a standard that may well do more harm than good. That said,
I am checking SPF records from within spamassassin, so you do pick up
some additional "spamminess" from it though. YMMV.
Mike.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list