On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green jgreen@wikimedia.org wrote:

I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.

The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.

Technical details are below for anyone interested . . .

Thanks, jg

Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org

. . . . . . .

SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework

The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:

wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"

The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.

Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.

I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.

Please bug me with any questions/comments!