Any way to handle ptr: results, like with Yahoo?

[stevejenkins]

Yahoo has always chosen to go their own way (e.g. they really held onto DomainKeys while everyone else evolved to DKIM), and it's no different with SPF records, it seems.

# despf.sh yahoo.com
Getting _spf.mail.yahoo.com
ptr:yahoo.com
ptr:yahoo.net

Is the issue solely with their SPF record being purposely difficult, or can anyone think of a way to get valid despf.sh output from Yahoo some other way?

[jcbf]

I think you should clarify "way to get valid despf.sh" . The generated output is valid in SPF context.
I'm assuming you need IPs for the postwhite project and for that usage ptr mechanism is impossible to handle. The same applies to exists and hosts with macros ( check #133 ).

[stevejenkins]

You are, of course, correct. The yahoo.com query is indeed valid output for despf.sh. I'm trying to figure out a way to expose Yahoo's known senders... they seem to be the only major mailer to hide them. This is certainly not a bug with SPF-Tools. I just figured there are enough smart people in here that possibly someone might have thought of something I hadn't. :)

I recently added a static list of known Yahoo IPs (scraped from here: https://help.yahoo.com/kb/SLN23997.html) with the option of setting a flag in postwhite.conf to not include them. But that's kludgy.

[jcbf]

Well I'm doing just a check. Got all the advertized ipv4 prefixes ( http://bgp.he.net/AS10310#_prefixes ) and doing a mass dns lookup on the PTR's.
Not very conclusive, almost all IPs end with yahoo.com . Scraping the page is probably the better way.

[jsarenik]

@stevejenkins Thank you for pointing this out. I just had a look at it and it seems to me like a very smart way to decentralize the SPF record and make it verifiable in O(n) steps. Of course it is hard or even legally impossible in some countries (without the KB article listing addresses) to find out all the addresses that can be used for sending mail for yahoo.com domain, but it seems to me very smart.

• What I meant by "legally impossible" is that Germany prohibits scanning as far as I know.

I think that the list you linked is the best way of getting a static list of address blocks. Otherwise it may require some "plugin" for Postfix which would first check the PTR record assigned with the IP address that wants to send mail and then straight it checks the name record if it points back to that same IP address.

What Yahoo is doing seems to me like a very flexible solution of the SPF limitations and if everybody was doing it similarly, this project would probably never get born :-)

[jsarenik]

@stevejenkins - do you think there is any way to approach this problem without wide-scale DNS scanning? How? Otherwise I would suggest to close this issue.

[stevejenkins]

I don't think so, and therefore think it's OK to close.