On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen(a)wikimedia.org>
wrote:
I'm planning to deploy Sender Policy Framework
(SPF) for the
wikimedia.org domain on Weds October 5. SPF is a framework for
validating outgoing mail, which gives the receiving side useful
information for spam filtering. The main goal is to cause spoofed
@wikimedia.org mail to be correctly identified as such. It should also
improve our odds of getting fundraiser mailings into inboxes rather than
spam folders.
The change should not be noticeable, but the most likely problem would
be legitimate @wikimedia.org mail being treated as spam. If you hear of
this happening please let me know.
Technical details are below for anyone interested . . .
Thanks,
jg
Jeff Green
Operations Engineer, Special Projects
Wikimedia Foundation
149 New Montgomery Street, 3rd Floor
San Francisco, CA 94105
jgreen(a)wikimedia.org
. . . . . . .
SPF overview
http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to
the
wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22
ip6:2620:0:860::/46
include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf
subnets, google apps, and the fundraiser mailhouse). The "?all" is a
"neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka
SoftFail,
which tells the receiving side that only mail coming from the listed
subnets is valid. Most ISPs will route 'other' mail to a spam folder
based on SoftFail.
I was under the impression that ~all softfail is not an assertion that
something is not authorized and the only way to actually assert that is
with -all hardfail.
Please bug me with any questions/comments!
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]