[dns-operations] creeping poorness of judgement

John Levine johnl at taugh.com
Sat Mar 14 01:56:32 UTC 2020

In article <3423731.dTAWf75mkY at linux-9daj> you write:
>today i got mail including this:
><jabley at hopcount.ca>: host aspmx.l.google.com[2607:f8b0:400e:c08::1b] said:
>    550-5.7.26 This message does not have authentication information or fails
>    to 550-5.7.26 pass authentication checks. To best protect our users from
>    spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26
>    https://support.google.com/mail/answer/81126#authentication for more 550
>    5.7.26 information. l73si7852706pfd.109 - gsmtp (in reply to end of DATA
>    command)
>this is because i had no SPF record in my domain's TXT RRset. ...

Sort of.  Google only accepts mail over IPv6 that validates either
with SPF or DKIM.  You can send them mail over IPv4 same as always.  I
am not a big fan of SPF so I sign my mail with DKIM.

>i briefly considered adding such a record until i found that only one TXT 
>string is permitted, so TXT "v=spf1 mx" not TXT (v=spf1 mx) in the zone file.

Nope.  You can have as many strings as you want.  They're treated as
though they were one catenated string.  This is a concession to
provisioning crudware that doesn't handle multi-string TXT records
very well.  (Those I agree are often ignorant.)

>i guess i'll just add one with "v=spf1 +all" to shut google up?

It is rarely a good idea to assume that the people to whom you are
sending your mail are stupid.  Your SPF of "mx ~all" is fine.

>so many ignorant and poor judgements shaping this future.

You can certainly disagree with Google's choices here, but they had
their reasons and it's not because they're ignorant.  What is
convenient for those of us with individual or SME mail systems doesn't
scale very well to systems that have to defend against billions of
spam messages every day.

More information about the dns-operations mailing list