Anyone else getting SPF failures on all messages sent to the list ?
I see them all originating from 50.31.151.76 but nanog.org’s SPF record doesn’t list that as allowed.
Let us see…
-mel beckman
"Scott Q." <qmail@top-consulting.net> writes:
Anyone else getting SPF failures on all messages sent to the list
?I see them all originating from 50.31.151.76 but nanog.org's SPF
record doesn't list that as allowed.
I see the same. nanog.org mail is originated from
2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is
currently
"v=spf1 a include:_spf.google.com ~all"
Neither of those are Google addresses so it's a soft fail.
Bjørn
Appears there’s no SPF record at all now for nanog.org <http://nanog.org>, which is not ideal…
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail. What is more important is that they resign with DKIM so that receivers can use that identity. SPF is for the most part belt and suspenders.
Mike
Uhm, not really. An SPF failure is really bad even though DKIM works. It might depend what they do with DMARC but even so, there’s no reason they can’t just add that IP to their SPF record.
From what I see, it’s been broken at least since May 6-7.
SPF has from day one been known to be broken with mailing lists. It's not "really bad", it's just what it is. There are other modes that SPF fails too like forwarding. Frankly I've tried to keep clear of "SPF is pointless", but it is actually pointless. It doesn't bring anything to the table that DKIM can't do better.
Mike
It appears that Michael Thomas <mike@mtcc.com> said:
Appears there’s no SPF record at all now for nanog.org
<http://nanog.org>, which is not ideal…Since probably 99% of the mail from NANOG is through this list, it
hardly matters since SPF will always fail.
Sorry, but no. A mailing list puts its own envelope return address on
the message so with a reasonable SPF record, SPF will normally
succeed. (If the mail is subsequently forwarded SPF will fail, but
that's not unique to mailing lists.)
DKIM and DMARC do not get along with mailing lists, but SPF is OK, at
least as OK as SPF ever is.
tl;dr nanog needs to put back its SPF record. It'll make some systems
such as Gmail considerably more likely to accept the mail.
R's,
John
Exactly. SPF acts on the -envelope- sender. That means the one
presented in the SMTP From:<> command. For mail from nanog, that's:
nanog-bounces+address@nanog.org, regardless of what the sender's
header From address is.
The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.
Regards,
Bill Herrin
But that wasn't the problem here, the SPF record was just gone. Oops.
I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage.
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Yes, and why is that needed? The mailing list resigning has the same effect and then you only need one mechanism instead of two and with DKIM you get the benefit that it's signing the 822 address which can be used for user level stuff in way that SPF is a little sus. So it makes SPF pretty irrelevant. IMO, SPF was always a stopgap since there was no guarantee that DKIM would be deployed. 20 years on, I guess I don't feel like I need to keep my trap shut about that.
If a receiving site is rejecting something solely based on the lack of a SPF record but has a valid DKIM signature, the site is broken IMO.
Mike
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ?
If you want to tell them they’re broken…there’s a few guys on the list here.
I’m surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder.
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ?
I was receiving the mail while NANOG had no SPF record, so no? Any receiver would be really stupid take a single signal as disqualifying.
Mike
I think a lot of us have nanog whitelisted or otherwise special cased.
Also, it's been pumping out list mail for decades and I expect has a close to zero complaint rate so even without the SPF ths IPs it sends from have a good reputation.
I’m surprised nobody noticed for close to 10 days.
Probably because it wasn’t 10 days.
I think a lot of us have nanog whitelisted or otherwise special cased.
I don't and gmail is my backend. That's trivial falsification that lack of an SPF records alone will cause gmail rejects.
Mike
For small-scale senders, it's either or both. For large-scale senders
(5000+ per day) it's both.
At least according to this:
Regards, K.
Same, this address for me is also gmail.
This is what Gmail shows me from earlier today, when the SPF record was not present :
Message ID <bff409fd0177c9caf1461e243969163a@polarismail–com.w.emailarray.com>
Created at: Thu, May 16, 2024 at 11:59 AM (Delivered after 77 seconds)
I think some may have missed these announcements:
Regards,
Hank