On Tue 17/Jun/2025 10:10:47 +0200 sebastian wrote:
The thing is that iphmx.com seems to be a MaaS infrastructure who tells clients
to use exists: as SPF records.
Like: exists:%{i}.spf.hc2347-76.eu.ipmx.com
One example:
23.90.102.86.spf.hc2437-76.eu.iphmx.com
The problem is that these resolve to a private IP (172.0.0.2) which causes SPF
failures due to DNS rebinding protection. Returning private IP addresses for
external use is a big no-no.
Why? RFC 5782 states:
The contents of the A record MUST NOT be used
as an IP address. The A record contents conventionally have the
value 127.0.0.2, but MAY have other values [...]
Works well for DNSBLs because in those situations its easy to configure a
exception for the DNSBL server. Not so easy to configure an exception for all
SPFes.
Why? RFC 7208 states:
exists = "exists" ":" domain-spec
The <domain-spec> is expanded as per Section 7. The resulting domain
name is used for a DNS A RR lookup (even when the connection type is
IPv6). If any A record is returned, this mechanism matches.
Presumably, a mail server should not consult a DNS hacked for browsers?
Recommended DNS configuration change:
Have the A record return its own IP:
23.90.102.86.spf.hc2437-76.eu.iphmx.com IN A 23.90.102.86
That might work for the custom settings of iphmx. However, SPF records can
also point to public DNSWLs, which is an effective filtering method. For example:
~exists:%{ir}.list.dnswl.org -all
This is stricter than ~all, yet allows most forwarding.
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
