Hi,
Something I found about SPF. I don't know if it is new to you but it
is worth of explanation !
As in all the tutorials of SPF, one stays relaxed when lists hosts/ips
that are authorized to send for the domain and then finally closes
with -all. This is true only for that domain but if there are hosts or
subdomains with A records, they must enforce SPF policies ! (this is
not explicit in RFC or at least confusing).
A single host or subdomain that don't do it can lead to a sender spoofing attack
and pose as someone from our domain without the SPF to detect it.
This is because when we receive mail from foo@bar.mydomain the SPF
protocol seeks TXT records corresponding to bar.mydomain instead of
TXT record for mydomain. If there is an A record for bar.mydomain but
no TXT "v=spf1 -all" for it, SPF returns "none" although SPF exists
for mydomain !
Thus an attacker can inject an email from everywhere claiming that is
from someone@bar.mydomain !
As the default policy of SPF should not be "fail if not present" the
solution is to enforce with the records TXT "v = spf1-all" for each A
record that should not send emails!
This also can be made by means of wildcards but it is discourage in the RFC.
Cheers
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg