Author: Phil Pennock Date: To: Lena CC: exim-users Subject: Re: [exim] unblocking gmail
On 2008-12-09 at 19:37 +0200, Lena@??? wrote: > I took google's blocks for my whitelist from gmail's spf. The blocks are large:
> 216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \
> 72.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \
> 74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \
> so I think that addition of new large blocks is unlikely.
It's not as unlikely as you are hoping. The address blocks basically
cover a lot of Google's external IP addresses, where mail might come
from if turned up as a service. You probably want to automatically
check _netblocks.google.com / _spf.google.com SPF records as part of
whatever build-scripts you use, if you don't want to rely upon
dnswl.org. Or just do both.
Myself, on my personal system I rely upon dnswl.org. It tends to be
up-to-date for Gmail and I have high hopes of the situation here
improving. By using a generic list like dnswl.org I don't need to
special-case any big provider.
I am getting strongly tempted, again on my personal systems, to turn on
a hard-mandate that a message must have a verified DKIM signature if the
From: address is @gmail.com and there's no sign of a mailing-list in the
headers; in fact, making that apply to a number of domains including
some big US banks would cut down on the amount of spam which makes it
past my other checks. There's no need to wait on RFCs for DKIM sender
signing policies for domains if I, as a mail-admin, choose to impose a
given policy for a given remote domain -- it won't scale well, but it
should do to be getting on with, until SSPs are codified.