On Tuesday 02 March 2004 09:44 am, Bruno Wolff III wrote:
> On Tue, Mar 02, 2004 at 09:15:55 -0800,
> "Jonathan M. Gardner" <jgardner@jonathangardner.net> wrote:
> > Is there any reason not to publish SPF records for postgresql.org? Do
> > we have control over the TXT records, and does anyone know which
> > servers are authorized to send mail for postgresql.org? How do we
> > handle mail forwarding for those who own an @postgresql.org email
> > address?
>
> If you do this be sure to warn all of the list users, since this will
> break forwarding for people on the lists if the server they forward to
> checks SPF info.
This is the line I am getting in my mail logs for SPF checking on the
postgresql mailing list messages:
Milter add: header: Received-SPF: none (dervish.jonathangardner.net: domain
of pgsql-hackers-owner+m50598=jgardner=jonathangardner.net@postgresql.org
does not designate permitted sender hosts): 1 Time(s)
We have to keep two issues seperate: (1) Adding SPF records so others can
check outgoing mail, and (2) Implementing SPF on incoming mail.
We do not necessarily have to implement SPF on incoming mail. If
we do decide to do that, then we can just add a header saying that the
check failed, and forward the mail to the list anyway.
Notice that SPF only checks the envelope MAIL FROM line, or as some people
call it the SMTP from, not the header from. Modern mailing lists (like the
one postgresql uses) rewrites that as it is now, so forwarding will not
break with SPF. (Notice that it is comparing the IP address of the server I
got mail from with the domain "postgresql.org". Since there are no SPF
records for postgresql.org, it can't check yet.)
Also, we may publish an SPF records that ends in "?all" initially, which
will mean "if the email comes from anywhere else, pretend like we never
even mentioned SPF".
We then run some tests, identify servers we forgot about, and then change
that to "~all", which means softfail, or in other words "If it comes from
anywhere else, then it probable isn't valid, but it may be."
When we finally identify all of the servers that are sending postgresql
mail, and are absolutely sure, then and only then will we do "!all",
declaring that we are absolutely sure no one else should be sending valid
mail for postgresql.org.
--
Jonathan Gardner
jgardner@jonathangardner.net