Mailing list SPF Failure
Anyone else getting SPF failures on all messages sent to the list ? I see them all originating from 50.31.151.76 but nanog.org's SPF record doesn't list that as allowed.
Let us see… -mel beckman
On May 15, 2024, at 7:47 PM, Scott Q. <qmail@top-consulting.net> wrote:
Anyone else getting SPF failures on all messages sent to the list ?
I see them all originating from 50.31.151.76 but nanog.org's SPF record doesn't list that as allowed.
"Scott Q." <qmail@top-consulting.net> writes:
Anyone else getting SPF failures on all messages sent to the list ?
I see them all originating from 50.31.151.76 but nanog.org's SPF record doesn't list that as allowed.
I see the same. nanog.org mail is originated from 2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is currently "v=spf1 a include:_spf.google.com ~all" Neither of those are Google addresses so it's a soft fail. Bjørn
Appears there’s no SPF record at all now for nanog.org, which is not ideal… Kind regards, Peter Potvin On Thu, May 16, 2024 at 02:59 Bjørn Mork <bjorn@mork.no> wrote:
"Scott Q." <qmail@top-consulting.net> writes:
Anyone else getting SPF failures on all messages sent to the list ?
I see them all originating from 50.31.151.76 but nanog.org's SPF record doesn't list that as allowed.
I see the same. nanog.org mail is originated from 2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is currently
"v=spf1 a include:_spf.google.com ~all"
Neither of those are Google addresses so it's a soft fail.
Bjørn
On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
Appears there’s no SPF record at all now for nanog.org <http://nanog.org>, which is not ideal…
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail. What is more important is that they resign with DKIM so that receivers can use that identity. SPF is for the most part belt and suspenders. Mike
Kind regards, Peter Potvin
On Thu, May 16, 2024 at 02:59 Bjørn Mork <bjorn@mork.no> wrote:
"Scott Q." <qmail@top-consulting.net> writes:
> Anyone else getting SPF failures on all messages sent to the list > ? > > I see them all originating from 50.31.151.76 but nanog.org <http://nanog.org>'s SPF > record doesn't list that as allowed.
I see the same. nanog.org <http://nanog.org> mail is originated from 2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is currently
"v=spf1 a include:_spf.google.com <http://spf.google.com> ~all"
Neither of those are Google addresses so it's a soft fail.
Bjørn
Uhm, not really. An SPF failure is really bad even though DKIM works. It might depend what they do with DMARC but even so, there's no reason they can't just add that IP to their SPF record.
From what I see, it's been broken at least since May 6-7.
On Thursday, 16/05/2024 at 11:37 Michael Thomas wrote: On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote: Appears there’s no SPF record at all now for nanog.org [1], which is not ideal… Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail. What is more important is that they resign with DKIM so that receivers can use that identity. SPF is for the most part belt and suspenders. Mike Kind regards, Peter Potvin On Thu, May 16, 2024 at 02:59 Bjørn Mork wrote: "Scott Q." writes:
Anyone else getting SPF failures on all messages sent to the list ?
I see them all originating from 50.31.151.76 but nanog.org [1]'s SPF record doesn't list that as allowed.
I see the same. nanog.org [1] mail is originated from 2001:1838:2001:8:0:0:0:20 or 50.31.151.76, and the SPF record is currently "v=spf1 a include:_spf.google.com [2] ~all" Neither of those are Google addresses so it's a soft fail. Bjørn Links: ------ [1] http://nanog.org [2] http://spf.google.com
On 5/16/24 8:59 AM, Scott Q. wrote:
Uhm, not really. An SPF failure is really bad even though DKIM works. It might depend what they do with DMARC but even so, there's no reason they can't just add that IP to their SPF record.
SPF has from day one been known to be broken with mailing lists. It's not "really bad", it's just what it is. There are other modes that SPF fails too like forwarding. Frankly I've tried to keep clear of "SPF is pointless", but it is actually pointless. It doesn't bring anything to the table that DKIM can't do better. Mike
It appears that Michael Thomas <mike@mtcc.com> said:
On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
Appears there’s no SPF record at all now for nanog.org <http://nanog.org>, which is not ideal…
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail.
Sorry, but no. A mailing list puts its own envelope return address on the message so with a reasonable SPF record, SPF will normally succeed. (If the mail is subsequently forwarded SPF will fail, but that's not unique to mailing lists.) DKIM and DMARC do not get along with mailing lists, but SPF is OK, at least as OK as SPF ever is. tl;dr nanog needs to put back its SPF record. It'll make some systems such as Gmail considerably more likely to accept the mail. R's, John
On Thu, May 16, 2024 at 12:03 PM John Levine <johnl@iecc.com> wrote:
It appears that Michael Thomas <mike@mtcc.com> said:
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail.
Sorry, but no. A mailing list puts its own envelope return address on the message so with a reasonable SPF record, SPF will normally succeed.
Exactly. SPF acts on the -envelope- sender. That means the one presented in the SMTP From:<> command. For mail from nanog, that's: nanog-bounces+address@nanog.org, regardless of what the sender's header From address is. The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops. I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
I'm surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder. On Thursday, 16/05/2024 at 18:56 John R. Levine wrote: On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops. I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
I think a lot of us have nanog whitelisted or otherwise special cased. Also, it's been pumping out list mail for decades and I expect has a close to zero complaint rate so even without the SPF ths IPs it sends from have a good reputation. On Thu, 16 May 2024, Scott Q. wrote:
I'm surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder.
On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops.
I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage.
On 5/16/24 7:36 PM, John R. Levine wrote:
I think a lot of us have nanog whitelisted or otherwise special cased.
I don't and gmail is my backend. That's trivial falsification that lack of an SPF records alone will cause gmail rejects. Mike
Also, it's been pumping out list mail for decades and I expect has a close to zero complaint rate so even without the SPF ths IPs it sends from have a good reputation.
On Thu, 16 May 2024, Scott Q. wrote:
I'm surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder.
On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops.
I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage.
Same, this address for me is also gmail. This is what Gmail shows me from earlier today, when the SPF record was not present : Message ID < bff409fd0177c9caf1461e243969163a@polarismail--com.w.emailarray.com> Created at: Thu, May 16, 2024 at 11:59 AM (Delivered after 77 seconds) From: "Scott Q." <qmail@top-consulting.net> Using Group-Office To: Michael Thomas <mike@mtcc.com>, nanog@nanog.org Subject: Re: Mailing list SPF Failure SPF: NONE with IP 50.31.151.76 Learn more Message ID <74b33cf0-b7c4-46ac-8154-1cfca082eff4@mtcc.com> Created at: Thu, May 16, 2024 at 2:13 PM (Delivered after 85 seconds) From: Michael Thomas <mike@mtcc.com> To: "Scott Q." <qmail@top-consulting.net>, nanog@nanog.org Subject: Re: Mailing list SPF Failure SPF: NONE with IP 50.31.151.76 Learn more DKIM: 'PASS' with domain mtcc.com Learn more Message ID <20240516190341.BEB6F8B534F1@ary.qy> Created at: Thu, May 16, 2024 at 3:03 PM (Delivered after 79 seconds) From: John Levine <johnl@iecc.com> To: nanog@nanog.org Subject: Re: Mailing list SPF Failure SPF: NONE with IP 2001:1838:2001:8:0:0:0:20 Learn more DKIM: 'FAIL' with domain iecc.com Learn more DMARC: 'FAIL' Learn more All 3 of these messages were delivered to my inbox as normal. The messages from Scott and John provided warnings when hovering over the icon that the user was not authenticated. After the SPF record was fixed : Message ID <de75db23-c166-095c-a2ad-2f3a7e613409@iecc.com> Created at: Thu, May 16, 2024 at 10:36 PM (Delivered after 68 seconds) From: "John R. Levine" <johnl@iecc.com> To: "Scott Q." <qmail@top-consulting.net> Subject: Re: Mailing list SPF Failure SPF: PASS with IP 50.31.151.76 Learn more DKIM: 'PASS' with domain iecc.com Learn more DMARC: 'PASS' Learn more Message ID < e47a1819deae8e7c8f592ab653c424d5@polarismail--com.w.emailarray.com> Created at: Thu, May 16, 2024 at 10:23 PM (Delivered after 180 seconds) From: "Scott Q." <qmail@top-consulting.net> Using Group-Office To: "John R. Levine" <johnl@iecc.com>, William Herrin <bill@herrin.us> Subject: Re: Mailing list SPF Failure SPF: PASS with IP 50.31.151.76 Learn more The warnings were not present on these messages . Google's support page if you click on those warnings it here : https://support.google.com/mail/answer/180707 Where it states the following : Check if a message is authenticated
Important: Messages that aren't authenticated aren't necessarily spam. Sometimes authentication doesn't work for real organizations who send mail to big groups, like messages sent to mailing lists.
On Thu, May 16, 2024 at 10:46 PM Michael Thomas <mike@mtcc.com> wrote:
On 5/16/24 7:36 PM, John R. Levine wrote:
I think a lot of us have nanog whitelisted or otherwise special cased.
I don't and gmail is my backend. That's trivial falsification that lack of an SPF records alone will cause gmail rejects.
Mike
Also, it's been pumping out list mail for decades and I expect has a close to zero complaint rate so even without the SPF ths IPs it sends from have a good reputation.
On Thu, 16 May 2024, Scott Q. wrote:
I'm surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder.
On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops.
I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage.
I'm surprised nobody noticed for close to 10 days.
Probably because it wasn't 10 days. On Thu, May 16, 2024 at 10:26 PM Scott Q. <qmail@top-consulting.net> wrote:
I'm surprised nobody noticed for close to 10 days. I was away from work and upon coming back I saw the little discussion there was , in my Spam folder.
On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
But that wasn't the problem here, the SPF record was just gone. Oops.
I see that the SPF record is back and seems have the correct addresses so we can now return to our previously scheduled flamage.
Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
On 5/16/24 3:54 PM, William Herrin wrote:
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail. Sorry, but no. A mailing list puts its own envelope return address on
It appears that Michael Thomas <mike@mtcc.com> said: the message so with a reasonable SPF record, SPF will normally succeed. Exactly. SPF acts on the -envelope- sender. That means the one
On Thu, May 16, 2024 at 12:03 PM John Levine <johnl@iecc.com> wrote: presented in the SMTP From:<> command. For mail from nanog, that's: nanog-bounces+address@nanog.org, regardless of what the sender's header From address is.
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
Yes, and why is that needed? The mailing list resigning has the same effect and then you only need one mechanism instead of two and with DKIM you get the benefit that it's signing the 822 address which can be used for user level stuff in way that SPF is a little sus. So it makes SPF pretty irrelevant. IMO, SPF was always a stopgap since there was no guarantee that DKIM would be deployed. 20 years on, I guess I don't feel like I need to keep my trap shut about that. If a receiving site is rejecting something solely based on the lack of a SPF record but has a valid DKIM signature, the site is broken IMO. Mike
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ? If you want to tell them they're broken...there's a few guys on the list here. On Thursday, 16/05/2024 at 19:17 Michael Thomas wrote: On 5/16/24 3:54 PM, William Herrin wrote:
Since probably 99% of the mail from NANOG is through this list, it hardly matters since SPF will always fail. Sorry, but no. A mailing list puts its own envelope return address on
It appears that Michael Thomas said: the message so with a reasonable SPF record, SPF will normally succeed. Exactly. SPF acts on the -envelope- sender. That means the one
On Thu, May 16, 2024 at 12:03 PM John Levine wrote: presented in the SMTP From: command. For mail from nanog, that's: nanog-bounces+address@nanog.org, regardless of what the sender's header From address is.
The message content (including the message headers) is theoretically not used for SPF validation. In practice, some SPF validators don't have direct access to the SMTP session so they rely on the SMTP session placing the envelope sender in the Return-path header.
Yes, and why is that needed? The mailing list resigning has the same effect and then you only need one mechanism instead of two and with DKIM you get the benefit that it's signing the 822 address which can be used for user level stuff in way that SPF is a little sus. So it makes SPF pretty irrelevant. IMO, SPF was always a stopgap since there was no guarantee that DKIM would be deployed. 20 years on, I guess I don't feel like I need to keep my trap shut about that. If a receiving site is rejecting something solely based on the lack of a SPF record but has a valid DKIM signature, the site is broken IMO. Mike
On 5/16/24 7:22 PM, Scott Q. wrote:
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ?
I was receiving the mail while NANOG had no SPF record, so no? Any receiver would be really stupid take a single signal as disqualifying. Mike
If you want to tell them they're broken...there's a few guys on the list here.
On Thursday, 16/05/2024 at 19:17 Michael Thomas wrote:
On 5/16/24 3:54 PM, William Herrin wrote: > On Thu, May 16, 2024 at 12:03 PM John Levine <johnl@iecc.com <mailto:johnl@iecc.com>> wrote: >> It appears that Michael Thomas <mike@mtcc.com <mailto:mike@mtcc.com>> said: >>> Since probably 99% of the mail from NANOG is through this list, it >>> hardly matters since SPF will always fail. >> Sorry, but no. A mailing list puts its own envelope return address on >> the message so with a reasonable SPF record, SPF will normally >> succeed. > Exactly. SPF acts on the -envelope- sender. That means the one > presented in the SMTP From:<> command. For mail from nanog, that's: > nanog-bounces+address@nanog.org <mailto:nanog-bounces+address@nanog.org>, regardless of what the sender's > header From address is. > > The message content (including the message headers) is theoretically > not used for SPF validation. In practice, some SPF validators don't > have direct access to the SMTP session so they rely on the SMTP > session placing the envelope sender in the Return-path header.
Yes, and why is that needed? The mailing list resigning has the same effect and then you only need one mechanism instead of two and with DKIM you get the benefit that it's signing the 822 address which can be used for user level stuff in way that SPF is a little sus. So it makes SPF pretty irrelevant. IMO, SPF was always a stopgap since there was no guarantee that DKIM would be deployed. 20 years on, I guess I don't feel like I need to keep my trap shut about that.
If a receiving site is rejecting something solely based on the lack of a SPF record but has a valid DKIM signature, the site is broken IMO.
Mike
On Thu, 2024-05-16 at 19:27 -0700, Michael Thomas wrote:
On 5/16/24 7:22 PM, Scott Q. wrote:
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ?
I was receiving the mail while NANOG had no SPF record, so no? Any receiver would be really stupid take a single signal as disqualifying.
For small-scale senders, it's either or both. For large-scale senders (5000+ per day) it's both. At least according to this: https://support.google.com/a/answer/81126 Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au, he/him) http://www.biplane.com.au/kauer
On 17/05/2024 5:45, Karl Auer wrote:
On Thu, 2024-05-16 at 19:27 -0700, Michael Thomas wrote:
On 5/16/24 7:22 PM, Scott Q. wrote:
Mike, you do realize Google/Gmail rejects e-mails with invalid/missing SPF right ? I was receiving the mail while NANOG had no SPF record, so no? Any receiver would be really stupid take a single signal as disqualifying. For small-scale senders, it's either or both. For large-scale senders (5000+ per day) it's both.
At least according to this:
I think some may have missed these announcements: https://labs.ripe.net/author/fergalc/enhancing-email-delivery-at-the-ripe-nc... https://blog.google/products/gmail/gmail-security-authentication-spam-protec... Regards, Hank
On Fri, 2024-05-17 at 08:13 +0300, Hank Nussbacher wrote:
On 17/05/2024 5:45, Karl Auer wrote:
I think some may have missed these announcements:
https://labs.ripe.net/author/fergalc/enhancing-email-delivery-at-the-ripe-nc...
https://blog.google/products/gmail/gmail-security-authentication-spam-protec...
The first of your links points to a page containing a link to the second. The second of your links points to a page containing the the link I gave, with link text "clear guidance". Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au, he/him) http://www.biplane.com.au/kauer
participants (11)
-
Bjørn Mork -
Hank Nussbacher -
John Levine -
John R. Levine
-
Karl Auer -
Mel Beckman -
Michael Thomas -
Peter Potvin -
Scott Q. -
Tom Beecher -
William Herrin