configuration error in lists.isc.org
Reindl Harald
h.reindl at thelounge.net
Mon Aug 10 22:12:01 UTC 2015
truncated the long, hard to understand and unrelated stuff....
Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.:
>> that above is pure nonsense - your DOMAIN has either a strict SPF
>> policy -
>> or a testing policy ~ and no mix of both
>>
>> ~ means "testing, please don't reject if it don't pass" and *nothing*
>> with
>> good or bad IP's - from the moment on you have a ~ you don't enforce
>> SPF for
>> *anybody* - bad enough that this topic appeared at all but much more bad
>> that so many people setup SPF without understand it
>>
> Except there are people that feel a strict black and white policy is too
> limiting.
well, when you can't say from where you send mail you should refrain
from setup SPF at all
> Especially when the IPs are a shared resource of the service provider
> where this little to stop another customer from pretending to be us
> (just as there was nothing for us to pretend to be
the shared ressource don't enforce SMTP authentication?
> .... or permit a
> visiting research to continue to send with his email address but through
> our servers....)
this has *nothing* to do with *your* SPF policy
your SPF record has nothing to do with foreign envelope-senders just
because it says "these are allowed servers for my envelope domain" and
nothing else
> When suddenly they setup an SPF and rejected mail from us, with lots of
> angry messages and calls that its my job to fix it so it'll work again.
in that case it has to be ruled out if you made a mistake by not include
all your sending servers in your SPF
> As the apparently lots of different universities have been originating
> mail this way for years and years. And, they need to continue to do so,
> as the application can't do any authentication for sending....(since it
> had always worked....)
that's a lame excuse and finally means "don't setup SPF/DMARC at all if
you have no clue who is sending from where with what enevlopes"
"since it has always worked" is a bad attitude - you enforce policies or
just don't touch them at all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150811/d5e1ffd6/attachment.bin>
More information about the bind-users
mailing list