On Thu, 26 Aug 2004, Jeff Macdonald wrote:
No. Both I and the people looking to implement these records feel quite
strongly that using the same record for both is very dangerous. In fact,
these largest sites are the ones who are *most* likely to have different
records (bit of a Catch 22 there).
Could you give an example? Or point to one is such an example exists?
Example of large sites that will have spfv1 records that would differ from
spfv2.0/pra? Sure:
A number of very large commercial banks run fairly complex outbound mail
systems. More complex even than AOL -- which seems to be the yardstick --
because their email systems have evolved over the years through various
business actions. It's not uncommon for a single bank to send outbound
mail from more than a *dozen* different systems scattered all over the
world (literally, more than a dozen). In ip4: notation this would take
something like 12 x 21 bytes = 252. (Note that these outbound sites are
completely separate from their inbound servers, so mx: wouldn't work).
Add to this the fact that these corporations regularly outsource marketing
and other material delivery to third party firms. Since they want these
messages to be branded as coming from their primary domain, the spv2.0/pra
record would include many include: statements like "include:esp1.com
include:esp2.com include:esp3.com" It doesn't take many additions here to
completely blow that 240 byte-ish limit that we're bumping up against by
inserting *two* records in one UDP response packet.
How would this differ from their spfv1 record? Well, since most
outsourced mailings use an ESP-controlled MAIL FROM address (for bounce
handling purposes), the spfv1 record would not necessarily include those
additional ESP references. So for a specific bank I am thinking of (13
outbound sites + 8 identified ESP partners), the spfv2.0/pra record would
be something like 401 bytes and the spfv1 record would be something like
252 bytes, for a total of 653 bytes, blowing the cap on the UDP response
packet.
Note that this doesn't apply just to banks, I've talk to numerous online
consumer sites and various media companies that will have the same
problem. They didn't have concerns when it looked like Sender ID would
re-use the same records as spfv1, but now they are starting to worry. The
complexity of global corporate mail systems is not to be believed and to
assume that Hotmail/AOL/Yahoo have the biggest outbound delivery system is
being a little naive.
-Rand