configuration error in lists.isc.org
Reindl Harald
h.reindl at thelounge.net
Mon Aug 10 22:17:54 UTC 2015
BTW: your SPF is completly broken
http://www.openspf.org/Why?s=mfrom;id=lkchen@ksu.edu;ip=54.200.129.228
The domain outbound._spf.mailhop.org has published an SPF policy,
however, an error occurred while the receiving mail server tried to
evaluate the policy:
Missing required IPv4 address in 'ip4:'.
Am 11.08.2015 um 00:12 schrieb Reindl Harald:
> truncated the long, hard to understand and unrelated stuff....
>
> Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.:
>>> that above is pure nonsense - your DOMAIN has either a strict SPF
>>> policy -
>>> or a testing policy ~ and no mix of both
>>>
>>> ~ means "testing, please don't reject if it don't pass" and *nothing*
>>> with
>>> good or bad IP's - from the moment on you have a ~ you don't enforce
>>> SPF for
>>> *anybody* - bad enough that this topic appeared at all but much more bad
>>> that so many people setup SPF without understand it
>>>
>> Except there are people that feel a strict black and white policy is too
>> limiting.
>
> well, when you can't say from where you send mail you should refrain
> from setup SPF at all
>
>> Especially when the IPs are a shared resource of the service provider
>> where this little to stop another customer from pretending to be us
>> (just as there was nothing for us to pretend to be
>
> the shared ressource don't enforce SMTP authentication?
>
>> .... or permit a
>> visiting research to continue to send with his email address but through
>> our servers....)
>
> this has *nothing* to do with *your* SPF policy
>
> your SPF record has nothing to do with foreign envelope-senders just
> because it says "these are allowed servers for my envelope domain" and
> nothing else
>
>> When suddenly they setup an SPF and rejected mail from us, with lots of
>> angry messages and calls that its my job to fix it so it'll work again.
>
> in that case it has to be ruled out if you made a mistake by not include
> all your sending servers in your SPF
>
>> As the apparently lots of different universities have been originating
>> mail this way for years and years. And, they need to continue to do so,
>> as the application can't do any authentication for sending....(since it
>> had always worked....)
>
> that's a lame excuse and finally means "don't setup SPF/DMARC at all if
> you have no clue who is sending from where with what enevlopes"
>
> "since it has always worked" is a bad attitude - you enforce policies or
> just don't touch them at all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150811/6d8fdbb4/attachment.bin>
More information about the bind-users
mailing list