[Wikimedia-l] SPF (email spoof prevention feature) test-rollout Weds 10/5

Daniel Friesen daniel at nadir-seen-fire.com
Fri Sep 28 18:04:56 UTC 2012 

On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen at wikimedia.org>  
wrote:

> I'm planning to deploy Sender Policy Framework (SPF) for the  
> wikimedia.org domain on Weds October 5. SPF is a framework for  
> validating outgoing mail, which gives the receiving side useful  
> information for spam filtering. The main goal is to cause spoofed  
> @wikimedia.org mail to be correctly identified as such. It should also  
> improve our odds of getting fundraiser mailings into inboxes rather than  
> spam folders.
>
> The change should not be noticeable, but the most likely problem would  
> be legitimate @wikimedia.org mail being treated as spam. If you hear of  
> this happening please let me know.
>
> Technical details are below for anyone interested . . .
>
> Thanks,
> jg
>
> Jeff Green
> Operations Engineer, Special Projects
> Wikimedia Foundation
> 149 New Montgomery Street, 3rd Floor
> San Francisco, CA 94105
>   jgreen at wikimedia.org
>
> . . . . . . .
>
> SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
>
> The October 8 change will be simply a matter of adding a TXT record to  
> the wikimedia.org DNS zone:
>
> wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22  
> ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
>
> The record is a list of subnets that we identify as senders (all wmf  
> subnets, google apps, and the fundraiser mailhouse). The "?all" is a  
> "neutral" policy--it doesn't state either way how mail should be handled.
>
> Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,  
> which tells the receiving side that only mail coming from the listed  
> subnets is valid. Most ISPs will route 'other' mail to a spam folder  
> based on SoftFail.

I was under the impression that ~all softfail is not an assertion that  
something is not authorized and the only way to actually assert that is  
with -all hardfail.

> Please bug me with any questions/comments!


-- 
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]

More information about the Wikimedia-l mailing list