undefined | Better HN

0 pointsJdeBP7y ago0 comments

The same has been pointed out about Web browsers using SRV DNS lookups to find servers.

* https://news.ycombinator.com/item?id=17395600

SPF, of course, should be used everywhere so that we reach the point of complete balkanization and collapse, and people realize that we can (and in fact in some ways already have) switch wholesale to different systems, faster. (-:

* http://jdebp.eu./FGA/smtp-spf-is-harmful.html

* https://news.ycombinator.com/item?id=10405864

0 comments

cm21877y ago

Not that I think that SPF is the ultimate solution (it is merely a thin layer of lipstick on the pig) but I don't agree with many of the assertion of your "spf is harmful" link.

- pre-delivery forwarding servers just need to be added to spf. If you use random third party smtp relays, then this is precisely what spf is trying to avoid.

- the way internal servers implement aliases is their problem, there is not necessarily a need to go through an smtp relay (my mail server doesn't)

- failover mail servers should check spf on incoming email and then have a trusted relationship with the primary server so that spf isn't enforced when the failover delivers to the primary (that's the way my mail server works)

- spf uses DNS. So what?

- ISP lock-in. If you control the domain/DNS entries, there is no lock in. If you don't, then you are already locked in anyway.

- doesn't allow dynamic IPs. I'd argue that 1) it is a good thing 2) it's not really the case, you can specify a domain in spf, and this domain can be a dyndns style domain with a short lived TTL resolving to your current dynamic ip. And in theory you could also dynamically update your spf as your ip changes with a short TTL (like a dyndns-style entry).

[edit] and actually what is going to kill you with a dynamic IP is not so much spf than the fact that the reverse dns of that IP won't resolve to your domain which is a big spam red flag for most smtp servers.

kilburn7y ago

> pre-delivery forwarding servers just need to be added to spf. If you use random third party smtp relays, then this is precisely what spf is trying to avoid.

The huge problem here is "forward all e-mail I receive to my gmail account" or similar. If you do that pre-delivery, you break SPF. If you do it post-delivery, gmail makes you responsible for any junk that gets through. If you make your filters harsher, the user complaints some e-mails are lost. What is your solution to this problem?

> the way internal servers implement aliases is their problem, there is not necessarily a need to go through an smtp relay (my mail server doesn't)

Now you send an e-mail to contact@yourbank.tld and the message is rejected because of your SPF policy and their usage of internal relays. You can (a) fight the corporate shitshow to get someone to fix the bank's relay; or (b) relax your SPF policy. You may be willing to pursue (a), but a company that sells e-mail services to thousands of clients just cannot enter those fights and still be economically viable.

Don't get me wrong. I use SPF (DMARC actually) on my personal server and it actually helps (as a low volume sender), but the moderate volume senders' problems are different from those of personal e-mail servers, and SPF works much worse there.

cm21877y ago

> gmail makes you responsible for any junk that gets through

I'd argue this is the fair and correct behavior. Effectively you created a kind of open relay server. Since you accept external traffic, you should be filtering for spam there.

> the message is rejected because of your SPF policy and their usage of internal relays

I'd assume that if it is an internal relay server, then it shouldn't be checking for spf internally. Only the server receiving incoming external traffic should check spf. Sounds like a misconfiguration.

2 more replies

j / k navigate · click thread line to collapse

0 comments

cm21877y ago

Not that I think that SPF is the ultimate solution (it is merely a thin layer of lipstick on the pig) but I don't agree with many of the assertion of your "spf is harmful" link.

- pre-delivery forwarding servers just need to be added to spf. If you use random third party smtp relays, then this is precisely what spf is trying to avoid.

- the way internal servers implement aliases is their problem, there is not necessarily a need to go through an smtp relay (my mail server doesn't)

- spf uses DNS. So what?

- ISP lock-in. If you control the domain/DNS entries, there is no lock in. If you don't, then you are already locked in anyway.

kilburn7y ago

> pre-delivery forwarding servers just need to be added to spf. If you use random third party smtp relays, then this is precisely what spf is trying to avoid.

> the way internal servers implement aliases is their problem, there is not necessarily a need to go through an smtp relay (my mail server doesn't)

cm21877y ago

> gmail makes you responsible for any junk that gets through

I'd argue this is the fair and correct behavior. Effectively you created a kind of open relay server. Since you accept external traffic, you should be filtering for spam there.

> the message is rejected because of your SPF policy and their usage of internal relays

2 more replies

j / k navigate · click thread line to collapse