broken ISP in china
G.W. Haywood
bind at jubileegroup.co.uk
Tue Feb 19 11:32:18 UTC 2013
Hi there,
On Mon, 18 Feb 2013, Vernon Schryver wrote:
> ...
> Recently I moved this domain(lcrcomputer.net) to a registrar that
> suports DNSSEC and inserted the DS record for this domain. I checked
> DNSSEC via http://dnsviz.net and
> http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is working
> just fine for lcrcomputer.net.
>
> However, shortly after that one of my customers stopped receiving email
> from one of their clients in China. They just brought that to my
> attention and I tried to email the client in China and got this back:
>
> For <robin at xxxxx.com.cn> <mailto:robin at medtecs.com.cn>, Site
> (xxxxx.com.cn/<ipv4 address>) said: 559 sorry , your helo/ehlo and
> domain in mail are invalid, you don't connect from there. (#5.5.9)
This looks like an SPF issue. It isn't possible to say for sure as
you've removed the information that's needed.
Your SPF record needs to be fixed anyway. Remove at least "mx" and
"ptr" and preferably "a" as well so that there are no unnecessary DNS
lookups when your SPF record is checked. Ideally a recipient server
needs only to know that the IP of the mail server sending the mail is
permitted to send mail on behalf of the domain to which the sending
server claims to belong. This is a very efficient means of detecting
mail forgery -- if only it is used correctly.
On Mon, 18 Feb 2013, Vernon Schryver wrote:
> I've not tried p=none, but recent experiments with
> 300 TXT "v=spf1 mx -all"
Don't use 'mx' in SPF records.
I do have experience of having a domain name used in forged mail, and I
can guarantee that you don't want the same experience. Other than that
I'll avoid being drawn into an off-topic debate on the value of SPF.
--
73,
Ged.
More information about the bind-users
mailing list