[ILUG] SPF and backup MX servers
kenn at bluetree.ie
Fri Jan 9 11:46:08 GMT 2004
With all the hoopla recently about SPF (sender permitted from)
records, there is one thing that I still have doubts about:
backup MX servers.
Let's take an example:
o sender.com advertises SPF hosts as mail.sender.com
o user1 at sender.com sends an email to user2 at receiver.com
o MX records for receiver.com are:
o mail.receiver.com and mail.backupmx1.com are down, so
mail.sender.com SMTPs the message to mail.backupmx2.com.
o Immediately after MAIL FROM:<user1 at sender.com>,
mail.backupmx2.com does an SPF lookup and sees that all
is OK and accepts the message.
o Later, mail.backupmx1.com comes up but mail.receiver.com
is still down, so mail.backupmx2.com SMTPs to
o mail.backupmx1.com does an SPF lookup and finds that
mail.backupmx2.com is not a permitted sender - message is
accepted and marked as possible spam (best case) or
bounced (worse case) or silently blackholed (worst case).
o Later mail.receiver.com comes back up, so mail.backupmx1.com
SMTPs to mail.receiver.com.
o mail.receiver.com does an SPF lookup and finds that
mail.backupmx1.com is not a permitted sender. However,
it sees that it is one of its own backup MX servers, so
accepts the message (I hope).
Note that "I hope" there. It is not at all clear from the stuff
I've read that an SPF "client" should be configured to trust its
backup MX servers. Of course, if you've got a backup MX that
doesn't do SPF checks, then that's a spam route into your
But the biggest problem occurs when a message is passed between
intermediate backup MX servers as above. At the time of MAIL FROM:
in the SMTP conversation, there is no recipient address available,
so there is no way for the backup MX servers to know of each
other's existence. There is no way for backupmx1 to know that
backupmx2 is a lower-priority MX for receiver.com. Perhaps if it
knew this (by postponing SPF checks until all RCPT TO:s are received)
it could then decide to accept the message as non-SPAM, since it
could trust backupmx2 (for receiver.com recipients only).
But what happens when there are multiple recipients. backupmx1
ends up having to either:
o Assume message is non-SPAM for all recipients since one
recipient is good
o Consider it as non-SPAM for user2 at receiver.com, but SPAM
for any recipients that do not list backupmx2 as an MX.
Or do we just give up on the whole idea of backup MX servers?
Are we better off without them in todays well-connected Internet?
More information about the ILUG