View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000492||Community.cacert.org||misc||public||2008-02-17 05:35||2009-06-13 11:47|
|Reporter||Daniel Black||Assigned To|
|Summary||0000492: cacert.org SPF DNS record removal|
|Description||As per off list discussions the cacert.org SPF record contains "all" which is a strongly discouraged option in the RFC.|
Changing to -all at the moment would be harmful.
Recommend removing the SPF record until we have a configuration that is ready for it.
Though not actually harmful it does look a little unprofessional at the moment.
|Additional Information||$ dig -t txt cacert.org|
cacert.org. 3600 IN TXT "v=spf1 a mx all"
|Tags||No tags attached.|
close as we're so close to being able to deploy a proper record.
finish deployment of community.cacert.org
account for other senders of @cacert.org - (websites)
||I would prefer this were changed to '-all' which would return 'neutral' rather than 'softfail', thus allowing me to use @cacert.org addresses with other systems (specifically Google Apps for samj.net, along with my tens of other addresses) but still getting the benefit of 'pass'ing our official MTAs.|
||Currently, SPF is more of an annoyance than any help. I would simply drop TXT records and live well without it. It does not provide any extra security for us.|
||Evaldo, I'm not sure I follow how it's more of an annoyance... by 'pass'ing known good mail and being 'neutral' on everything else I'd argue that we're doing more good than harm (our messages ought to be less likely to be marked as spam as a result). I'm not feeling all that religious about it though so do as you please.|
An outgoing SMTP gateway was provided for this purpose. Email clients support this well. Maybe this should be something google mail should support.
note: neutral ?all, softfail ~all, (hard) fail -all
Ref: (0001072) evaldo
By deploying SPF checking on another email gateway on a government department I reduced the blocked 20-25% of emails for domains that had deployed a fail '-all' with no reports of falsely blocked email in over 12 months. Because of this I'd argue that it is hardly an annoyance compared the additional forged emails.
the TXT record is a religious arguement that I would answer somewhat like
TXT records were introduced by the IETF. noone used them because its useless having a human readable stuff in a machine used protocol (DNS). SPF came along and gave this a little meaning. 12.6% of Internet domains now use them in this way (DNS Measurement factory 2007 report). DKIM now use it for public keys. TXT now has a purpose because implementing new DNS types in DNS servers/caches is too hard.
"Security" is for the end user who isn't doesn't receive a spoofed email from the cacert.org domain. Benefit to CAcert is that I don't have to answer the question did cacert really send email XYZ. (I get enough support emails related to Tunix as it is thankyou)
Evaldo, do you have logical reason not to deploy -all eventually beyond "its my internet and I'll use it like I always have?"
PS: SPF is an antiforgery NOT antispam. I get pissed off with people claiming to be knowledgeable in SPF calling it an ineffective antispam mechanism (hammers' don't cut wood well either).
||removed - we have a dkim record now at least.|
|2008-02-17 05:35||Daniel Black||New Issue|
|2008-04-05 02:09||Daniel Black||Note Added: 0001058|
|2008-04-05 03:46||Daniel Black||Note Edited: 0001058|
|2008-04-24 11:59||samj||Note Added: 0001068|
|2008-04-24 16:31||evaldo||Note Added: 0001072|
|2008-04-24 19:22||samj||Note Added: 0001073|
|2008-04-30 10:04||Daniel Black||Note Added: 0001074|
|2009-06-05 12:50||Daniel Black||Project||Main CAcert Website => Community.cacert.org|
|2009-06-13 11:47||Daniel Black||Note Added: 0001441|
|2009-06-13 11:47||Daniel Black||Status||new => closed|
|2009-06-13 11:47||Daniel Black||Resolution||open => fixed|