On Thu, Feb 10, 2005 at 10:30:11PM -0700, Commerco WebMaster wrote:
The joy of receiving some message stating "our advanced spam filter has
determined you sent the following" when it is an obviously forged from IP
address in another country is starting to wear a bit thin with me. Even
more so when said "advanced spam filter" company appears to pay no
attention to requests they consider implementing SPF support in their
or one-time only opt-in confirmation.
or vacation message.
All the same.
You think publishing redirect covers an entire zone ?
Well, not easily, but I'll send you an off list email message with an
actual domain, where you can try to get an SPF txt record for
FOO.example.com via Dig and it will successfully present a redirect to
_spf.example.com txt record even though FOO.example.com does not actually
exist (wildcard DNS).
Every query does result in an anwer, including for non-TXT records...
If OTOH you publish "v=spf1 redirect:_spf.example.com" for each and
every domain (not: host!) then you get what you think you get.
...so you _are_ pushlishing for each domain.
And therefore FOO.example.com _does_ exist. Maybe not in real life,
but it certainly does in DNS.
[... on faulty records not set by owner of domain ...]
While such behavior as you point to seems entirely inappropriate, it is
also not the fault of the SPF, those who publish SPF records for their own
domains or those who support published records in their MTA / SMTP software.
I think I see where you are going, but I really believe that the subjective
treatment of what should be an absolute is still not good design. Rather,
perhaps such things should be handled via an ~all with appropriate
But how is this going to happen? The DNS hoster doesn't know better
than to publish -all. Its customer doesn't know anything about SPF
at all. How is this situation going to magically change?
I stand by my original comment: It is, IMHO, too soon to actually
start blocking based on what could very well be a simple mistake.