In DNSBL and DNSWL usage, its easy to excempt the DNSBL and DNSWL source hosts from the DNS rebinding protection. In that case, the 127.0.0.x IPs also convey extra information like trust score and such for DNSBL and DNSWLs.
Since DNSBL and DNSWLs are configured by the mail server administrators, its often easy to just have the firewall skip the DNS rebinding rules for those servers (since they are inherently trusted, and thus, it wouldn't matter if a web browser called a DNSBL or DNSWL). Its not so easy when a random SPF record refers to a host that a firewall can't know beforehand. So the firewall can't anticipiate that. And a malicious actor could make use of such a function if they wanted to do a DNS rebinding attack. So I would say, its a widely standarised function of a DNSBL or DNSWL. It should not be used outside of that, never for the SPF "exists:" mechanism. Since any IP is valid there, and the actual IP doesn't have any bearing on the result, I would say, don't use private IP in exists: records. Theres no reason for it. Use a public IP, preferable your own. The firewalls are not supposed to protect a mail system only (then it would not need DNS rebinding protection), but a whole network, including mail systems. -----Ursprungligt meddelande----- Från: Bill Cole via mailop <[email protected]> Skickat: den 17 juni 2025 21:00 Till: Sebastian Nielsen via mailop <[email protected]> Ämne: Re: [mailop] iphmx.com - who owns that server (SPF fault) On 2025-06-17 at 14:40:38 UTC-0400 (Tue, 17 Jun 2025 20:40:38 +0200) Sebastian Nielsen via mailop <[email protected]> is rumored to have said: > Its not uncommon. Worst possible argument. The fact that a discernible number of firewalls do this is an argument against those firewalls. > Many have that problem with firewalls automatically doing that. I can understand that, as it is a conceptual problem in the configuration or design of those firewalls. They are unfit for the purpose of protecting mail systems. It will break more than SPF. It also will break any attempt to use any form of DNSBL. Returning loopback values in DNS has a standardized widely-used function that demands the unimpeded receipt of loopback answers to A and AAAA queries. -- Bill Cole [email protected] or [email protected] (AKA @[email protected] and many *@billmail.scconsult.com addresses) Not Currently Available For Hire _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
