lists at kittypee.com
Thu Aug 16 17:22:38 MDT 2012
Yes, that SPF record is bad. It needs to include all sources of
legitimate email for your domain. Since you are using Google Apps,
you need to include Google's servers.
On Thu, Aug 16, 2012 at 5:06 PM, Merrill Oveson <moveson at gmail.com> wrote:
> On Thu, Aug 16, 2012 at 4:54 PM, John Shaver <bobjohnbob at gmail.com> wrote:
>> On Thu, Aug 16, 2012 at 4:09 PM, Merrill Oveson <moveson at gmail.com> wrote:
>>> Pretend we are xyz company. So my email is moveson at xyz.com. xyz
>>> email is hosted thru gmail.
>>> Some of our users got an email from support at xyz.com.
>>> Now our support team never send the email. It's obvious spam.
>>> The question is: If we flag the email as spam, are you flagging
>>> support at xyz.com as spam,
>>> or is gmail smart enough to know to flag the sent from ip address?
>> This is called email spoofing. If wanted to, I could send you an
>> email as bill at microsoft.com and it would come through fine. If they
>> flag it as spam, then, in most spam systems, it will affect legitimate
>> emails from the same email address.
>> The most common defense I've seen people try to use for this is SPF
>> records. You can specify SPF information in your DNS TXT records that
>> specify which servers are allowed to send out mail from your domain.
>> Unfortunately, people don't always send email out through your SMTP
>> server. When they are away from the office, they may want to send
>> mail from their home connection and their ISP may require them to send
>> out mail via their SMTP server and block ports otherwise (this is very
>> common among the big ISPs). This means that legitimate mail will be
>> flagged due to SPF records. I see very few large companies using
>> solid SPF records on their domain for this reason. Most are just set
>> to flag, but not deny mail from other servers.
>> The other issue is that many mail servers do not even check SPF
>> records and aren't required to, although I think most do.
>>> It drives me crazy that gmail doesn't show the full headers.
>> Even if you showed full headers, it would be very difficult to know
>> who the mail actually came from and if it was legitamate if you don't
>> know how to read email headers and see what servers we can confirm
>> they went to (gmails servers only know which server handed them the
>> mail, any other relays could be faked in the headers).
>> More info on email spoofing:
>> and Sender Policy Framework:
>> -John Shaver
>> PLUG: http://plug.org, #utah on irc.freenode.net
>> Unsubscribe: http://plug.org/mailman/options/plug
>> Don't fear the penguin.
> Thanks for the responses...
> Yeah, I have an spf1 record in my DNS for our domain.
> I guess gmail didn't bother to read it, or it's set up wrong. ?
> ie.: v=spf1 a mx ?all
> Or does gmail require a special spf1 record setup in their DNS?
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG