[OSM-talk] Sender policy framework mail for openstreetmap.org

Matthew Newton matthew-osm at newtoncomputing.co.uk
Sun Jan 7 01:37:26 GMT 2007 

Hi Nick,

On Sat, Jan 06, 2007 at 11:29:48PM +0000, Nick Hill wrote:
> I had considered this issue, but as you have raised the concern, it will be 
> worthwhile taking even more care.

OK, I just wanted to ensure that you thought about it before doing so, and it
seems you have ;-). I considered it a year or so ago for the university mail
system I administer, and came to the conclusion that it wasn't worth the risk.

Incidentally, I don't check SPF here, which is maybe a good thing (maybe SPF
checks all the received headers, but I thought it just looks at the connecting
IP?)...

nickhill.co.uk.         86400   IN      TXT     "v=spf1 a:mail.eclipse.co.uk/24
ip4:213.152.57.80/28 ip4:80.68.94.95 -all"

Received: from [82.153.254.70] (helo=mra02.ch.as12513.net)                      
        by mail.newtoncomputing.co.uk with esmtp (Exim 4.52 #1 (Debian))        
        id 1H3KzX-0000Kt-PX                                                     
        for <matthew-osm at newtoncomputing.co.uk>; Sat, 06 Jan 2007 23:30:24 +0000

mail.eclipse.co.uk.     300     IN      A       82.153.251.6

> As you mention, SPF does raise issues for people receiving forwarded mail. 
> Not just from openstreetmap, but from gmail, hotmail, pobox.com, bbc.co.uk 
> etc. All these use SPF.

...and they all (except pobox.com, which has a complicated SPF string) have
either ~all or ?all, which basically means "or accept anything from anywhere
else anyway", as far as I can tell!

> Your mail set-up will likely be broken if the MTA on your side of the 
> forwarder implements SPF and you have not told it to accept mail from your 
> forwarder.

That's an interesting idea I hadn't thought of, but I suppose only users that
receive their forwarded mail on systems that they control can do it - most users
wouldn't be able to ask their ISP "please don't check SPF for mail from server
X so that my forwarded mail can get through".

> I have found implementing SPF on my own domain immediately stopped large 
> numbers of bounced spam messages reaching my mailbox. This is good evidence 
> that SPF is now widely implemented and is potentially effective at stopping 
> spam, and that such widespread adoption will likely have led to most mail 
> systems (in terms of bulk) now being properly configured to handle SPF.

I'll have to have a look again and see if it is worth using now. Out of
interest, I wonder how mailing lists are handled now (i.e. if I publish "mx
-all" for my domain, and then send to talk, do people who check SPF not receive
my list message which came from OSM's IP?)

You've reminded me of one thing, though - any chance you (or we) could look at
implementing SpamAssassin on the lists.openstreetmap.org mailer? I've got around
200 posts waiting to be moderated from the Christmas period alone (I was away),
and I guess about 3 of them are real posts.

Righto, I'll shut up about SPF now :). I guess this can be taken off-list, too.

Thanks!

-- 
Matthew

More information about the talk mailing list