Journal Entries

(Page 6 of 9)

Assorted journal / blog entries.

Failing Me Softly with SPF

TL;DR — The joys of the Sender Policy Framework and the (apparent) difficulties of implementing it correctly.

👓 3 minutes

About a year ago, I started receiving some fairly odd email messages: some originating from my own domain (, and many originating from my own email address!

Most of these emails were obvious spam (or were themselves the product of spam, such as failure messages from external domains where the spam had been sent), and I started panicking: had I been hacked?

As I dug into the issue, I discovered that no, I hadn’t been hacked, but that my domain was just blindly accepting requests to send email. That’s when I first learned about SPF (Sender Policy Framework), “an open standard specifying a technical method to prevent sender address forgery.” Basically, to use SPF, I (as the domain owner) simply had to add a single TXT record to my domain information that indicated what servers could actually send email from my domain, and all others would be rejected. So, after fiddling around with the format for a while, I found my hosts’s recommended record (name changed to protect the innocent):

v=spf1 a mx ~all

Needless to say, I added it to my domain record, and bam – overnight, nearly all of the spam stopped flowing.

So, I went about my merry way, figuring I had solved the issue. I even added this record to the other domains that I own, since it had worked so well with the first one.

But it turns out that I was wrong.

Although I stopped receiving messages the messages from myself, every now and then I’d get a failure notice about an email coming from one of my domains being unsendable. When I’d get these, I’d think, “huh, I thought I fixed that,” and then I’d forget about it and move on to something else.

Then, just the other day, I received an email from me, to (another) me, telling me that I had a voicemail from an international number (it even helpfully suggested that “You might want to check it when you get a chance.”). And I thought, “wait a minute, didn’t I already fix this?”.

So, this time, rather than forgetting about it, I actually took a moment to look at the header, and that’s when I saw this (again, name changed):

softfail ( domain of transitioning
  does not designate as permitted sender)

So, I went back to the SPF site again, and that’s when I learned that the server could not only reply with “pass” and “fail”, but a whole cornucopia of messages:

Received-SPF: softfail ( domain of transitioning does not designate as permitted sender)

Received-SPF: neutral ( is neither permitted
   nor denied by domain of

Received-SPF: none ( domain of does
   not designate permitted sender hosts)

Received-SPF: permerror -extension:foo ( domain of uses mechanism not recognized by this client)

Received-SPF: temperror ( error in processing during
   lookup of DNS timeout)

The next obvious question is “why?” (well, that and “what the hell does transitioning mean?”).

It turns out that my host either misinterpreted the SPF spec, or tried to protect their users from themselves. Apparently, the presence of the tilde (“~”) in a record indicates that the domain is in transition to SPF - it’s designed for large email providers and corporations to let them start transitioning to SPF without forcing hard failures on every email that originates from an unlisted server (the idea is that the email owner would collect these softfails, verify the IPs are valid, and then add them to the SPF record). Oops.

Fortunately, I now knew what to do to fix the problem: replace the tilde with a dash (“-”):

v=spf1 a mx -all

A few hours later, problem solved, and no more spam from my domain (so far).

Based on my reading, I’m not the only one that made this mistake, and since SPF has been around for a few years (and is implemented, in some for or another, on most corporate domains), I can only imagine how many other domains using an incomplete / incorrect implementation of it (based on the number of F*-buddy requests and Canadian pharmaceutical offers I still get, I’d imagine that number to be fairly high).

So, if you own one or more domains, please do everyone a favor and implement SPF for your email. And if you aren’t using a ton of different mail servers (wherein you might not be able to list them all in your TXT record), skip the tilde and go straight for the dash.

The internet will thank you for it.

Obituary for Dennis Jon Woodward (My Father)

TL;DR — My father, Dennis Jon Woodward, passed away May 23, 2016. This is his obituary.

👓 2 minutes

My father, Dennis Jon Woodward, passed away May 23, 2016.

I debated whether to even write about this here, but as the months have gone on, I can’t help but notice the effect his passing has had on my thoughts. Initially, I was overwhelmed with sadness, my mind unable to grasp the concept of him not existing anymore. As the time has gone on, it’s become more about specific thoughts or experiences triggering specific memories, followed by a wave of sadness at never being able to have those experiences with him again. Even now, as I write this nearly 3 months on, I find myself tearing up at the thought of never seeing him again. I know these things take time, and I’m sure that someday, once I’m “used” to not being with him anymore, my memories of him will bring joy. But not yet.

The downside of being a nauralist / materialist is that I don’t believe in any magical place where I’ll get to see him again, nor do I believe that he can come visit me as a ghost or spirit. I mean, it’d be nice if either of these true, but I can’t believe in them because there’s no evidence for them. And since he’s the one who started me on my love of science (and, tangentially, my road to naturalism), I have to stay true to that, no matter what my wishes are. But it’s hard.

Writing the obituary has been, for me, part of the grieving process - trying to consolidate the major events / moments / details of his life down to a few short sentences. But it’s also been difficult to complete; almost as if, by not publishing it, I was somehow hanging on to him. I dreaded writing it (to say nothing of trying to find the right picture), but I did, and as of yesterday, it was published in the paper. But nothing changed. He’s still gone.

This is the other reason I debated writing about this here - not just because it’s difficult, but because I feel like I don’t have anything useful to say. Maybe later, but not now.

Dennis Jon Woodward, formerly of Concord, passed away unexpectedly but peacefully in his home Monday, May 23, 2016, at the age of 64. He was born January 16, 1952, in Syracuse, N.Y., the son of the late Leonard and Vera Woodward, and was raised in upstate New York. He retired from Pass & Seymour / Legrande in Concord in 2012 after 40 years with the company.

He is survived by his wife, Sherry Woodward, of Ellenboro; sisters, Eileen Joy and Brenda Myslevecek, of Redfield, N.Y.; brother, Donald Woodward and wife, Pat, of Augusta, Ga.; son Eric Woodward and wife, Stacie, of Concord; son, Jeffrey Woodward and wife, Candace, also of Concord; daughter Sarah Horton and husband, Jason, of Mount Pleasant; stepson, Keith McDaniel and wife, Lisa, of Ellenboro; stepson Kirk McDaniel, of Concord; and 13 grandchildren. A private family service was held at his home. In lieu of flowers, the family is asking that donations be made to the Leukemia & Lymphoma Society.

Posted at:

Hello, World!

TL;DR — The obligatory introductory post for my new web site.

👓 less than 1 minute

So, after a few years of on-again, off-again blogging (in both original and micro flavors), coupled with staring at (and maintaining) a half-completed projects site, I got tired of having a split web personality and decided to squish it all together. This site is the result of that unholy union.

I plan on doing a write-up later explaining the gory details of how (and why) I built it the way I did1, but let me at least give you the quick, jargon-laden version: the site is built with Node (specifically an as-of-yet-unreleased custom library & CLI wrapped around HarpJS), which creates static pages out of Markdown and EJS (templated to conform to IndieWeb / microformats2 specifications), which is then compressed via various Gulp plugins, and is ultimately served up through nginx running on a DigitalOcean droplet. And, lest I forget, lots and lots of emojis.

It’s all still very much a work-in-progress, but I’m pleased as punch with the results so far, and look forward to finishing both it and my 237 other projects (just probably not this week, month, or year).

In the meantime, feel free to take a look around and check it out, and if you have any questions (or want to heap praise on me), hit me up on social media or via email.

1 - Especially since I've been publishing here for [over a month](/updates/2016/5/8/update.html) and am just now getting around to writing my "introductory" post.

The (Commercial) Web is Dying? So What?

TL;DR — In defense of ad-blockers and a demonetizied web.

👓 3 minutes

Lately, there seems to have been a up-tick in the never-ending debate about the web, advertising, and content-blocking. While Apple’s recent introduction of content-blockers in iOS9 is the most proximate reason for this discussion, it isn’t a new battle, and has been raging for quite some time. The basic argument is that many sites rely on advertising revenue to cover not just their costs, but also to turn a profit. And these web-based companies are (justifiably) concerned that ad-blocking could reduce (or destroy) that revenue stream, which might force them to shutdown.

To which I say, “so what?”

I’m not trying to be mean, but the fact is that lots and lots of businesses are forced to close every year, and many (most?) of them close because they have what some might call a “flawed business model”. Like some others, I believe that’s exactly what the “web advertising” model is, because if it wasn’t, no one would be blocking the ads, there would be no heated discussion about it, and blog posts like this one would never exist. I mean, some may liken ad-blocking to stealing, but others see it for what it actually is - disruption.

Look, I’ve been online long enough to remember the early attempts at monetizing the web: first came the embedded banner ads, which paid-per-view, but were easily ignored by end users; then came the pop-up (and pop-under) ads, which were still pay-per-view, but which couldn’t be ignored (unless you turned them off, since they relied on JavaScript); then came embedded banners with a “pay-per-click” model, which didn’t work because nobody wanted to actually click the links. And as each one rose to prominence, there were always those crying for people to engage with their ads (“If you don’t click on one of my ads, I’ll be forced to shut my site down!”). But the web remains.

And that’s part of why I titled this the way I did. Even if the commercial web went away (which, let’s be honest, it probably won’t), it wouldn’t be the end of the world: many sites which rely on donations or subscriptions would remain, as would storefronts and sites that support physical things. Plus, there are still many sites which are run more-or-less as hobbies, paid for by the people who run them. And, despite what the anti-blockers would say, there are other successful revenue models out there.

So, if you are a blogger or news site who is concerned about how this change will affect your bottom line, you have my sympathy: not because I block your ads (which I do), but because you put your faith in a fundamentally flawed business model (and believe me, you aren’t the only one). If, however, you think I’m wrong, then I encourage you to take the next obvious step and start blocking (or Comic Sans-ing) users who run ad blockers. If your content is worth viewing ads for, then people who run blockers will turn them off just so they can see it. But be prepared for the horrifying truth: when people have to actually pay for something (either with their eyeballs and “unblock” buttons, or with cold-hard cash), your site may not be good/interesting/original enough to actually generate revenue. Again, you have my sympathy… but not my cooperation.

It has recently been asked what the web might have looked like if the ad-based model had never taken off. Since we can’t rewind the clock, we can’t know for sure what course history may have taken in that instance. But if we keep running ad-blockers long enough, we may yet find out.

Anti-GMO Scaremongering

👓 less than 1 minute

The people who push GMO labels and GMO-free shopping aren’t informing you or protecting you. They’re using you. They tell food manufacturers, grocery stores, and restaurants to segregate GMOs, and ultimately not to sell them, because people like you won’t buy them. They tell politicians and regulators to label and restrict GMOs because people like you don’t trust the technology. They use your anxiety to justify GMO labels, and then they use GMO labels to justify your anxiety. Keeping you scared is the key to their political and business strategy. And companies like Chipotle, with their non-GMO marketing campaigns, are playing along.

Unhealthy Fixation, William Saletan