View Issue Details

IDProjectCategoryView StatusLast Update
0000492Community.cacert.orgmiscpublic2009-06-13 11:47
ReporterDaniel Black Assigned To 
Status closedResolutionfixed 
Summary0000492: SPF DNS record removal
DescriptionAs per off list discussions the SPF record contains "all" which is a strongly discouraged option in the RFC.

Changing to -all at the moment would be harmful.

Recommend removing the SPF record until we have a configuration that is ready for it.

Though not actually harmful it does look a little unprofessional at the moment.
Additional Information$ dig -t txt 3600 IN TXT "v=spf1 a mx all"
TagsNo tags attached.


Daniel Black

2008-04-05 02:09

developer   ~0001058

Last edited: 2008-04-05 03:46

close as we're so close to being able to deploy a proper record.
required steps:
finish deployment of
account for other senders of - (websites)


2008-04-24 11:59

reporter   ~0001068

I would prefer this were changed to '-all' which would return 'neutral' rather than 'softfail', thus allowing me to use addresses with other systems (specifically Google Apps for, along with my tens of other addresses) but still getting the benefit of 'pass'ing our official MTAs.


2008-04-24 16:31

developer   ~0001072

Currently, SPF is more of an annoyance than any help. I would simply drop TXT records and live well without it. It does not provide any extra security for us.


2008-04-24 19:22

reporter   ~0001073

Evaldo, I'm not sure I follow how it's more of an annoyance... by 'pass'ing known good mail and being 'neutral' on everything else I'd argue that we're doing more good than harm (our messages ought to be less likely to be marked as spam as a result). I'm not feeling all that religious about it though so do as you please.

Daniel Black

2008-04-30 10:04

developer   ~0001074

Ref:(0001068) samj
An outgoing SMTP gateway was provided for this purpose. Email clients support this well. Maybe this should be something google mail should support.

note: neutral ?all, softfail ~all, (hard) fail -all
note 2: I'd like to see a privacy policy for its use with google mail too

Ref: (0001072) evaldo
By deploying SPF checking on another email gateway on a government department I reduced the blocked 20-25% of emails for domains that had deployed a fail '-all' with no reports of falsely blocked email in over 12 months. Because of this I'd argue that it is hardly an annoyance compared the additional forged emails.

the TXT record is a religious arguement that I would answer somewhat like
TXT records were introduced by the IETF. noone used them because its useless having a human readable stuff in a machine used protocol (DNS). SPF came along and gave this a little meaning. 12.6% of Internet domains now use them in this way (DNS Measurement factory 2007 report). DKIM now use it for public keys. TXT now has a purpose because implementing new DNS types in DNS servers/caches is too hard.

"Security" is for the end user who isn't doesn't receive a spoofed email from the domain. Benefit to CAcert is that I don't have to answer the question did cacert really send email XYZ. (I get enough support emails related to Tunix as it is thankyou)

Evaldo, do you have logical reason not to deploy -all eventually beyond "its my internet and I'll use it like I always have?"

PS: SPF is an antiforgery NOT antispam. I get pissed off with people claiming to be knowledgeable in SPF calling it an ineffective antispam mechanism (hammers' don't cut wood well either).

Daniel Black

2009-06-13 11:47

developer   ~0001441

removed - we have a dkim record now at least.

Issue History

Date Modified Username Field Change
2008-02-17 05:35 Daniel Black New Issue
2008-04-05 02:09 Daniel Black Note Added: 0001058
2008-04-05 03:46 Daniel Black Note Edited: 0001058
2008-04-24 11:59 samj Note Added: 0001068
2008-04-24 16:31 evaldo Note Added: 0001072
2008-04-24 19:22 samj Note Added: 0001073
2008-04-30 10:04 Daniel Black Note Added: 0001074
2009-06-05 12:50 Daniel Black Project Main CAcert Website =>
2009-06-13 11:47 Daniel Black Note Added: 0001441
2009-06-13 11:47 Daniel Black Status new => closed
2009-06-13 11:47 Daniel Black Resolution open => fixed