On 07/12/2012 20:45, John Levine wrote:
I think this makes sense, but I think it would make more sense if there was
a way to just specify in the SPF record for, for example, twitter.com, that
all legit senders for all subdomains are included in the highest level SPF
record.
This sort of thing has been proposed before. It turns out that
anything in the DNS that starts "all names below this node ..." is
astonishingly hard to implement.
Could we have a "direct parent" check rather than going up lots of levels?
Eg, if you are having to fall back to an A record, look at the direct
parent for a TXT record with appropriate data in
So, if you are checking a message from xyz(_at_)bibble(_dot_)twitter(_dot_)com, you are
doing your check back that bibble.twitter.com exists, and see that it
only has an A record (if it has an MX record, that satisfies your
checks). Now, you do a TXT lookup on 'twitter.com' and if the result has
a record saying 'mx only' (or some such) you know that
'bibble.twitter.com' isn't valid as an email domain.
This would be quicker than going up the tree, but would catch the most
common case of having lots of hosts defined in a domain, any of which
could be used for 'spoofing'. It would only be needed in the (hopefully,
rare) case of having to fall back to the 'A' record.
Checking for the TXT record would be slower than not doing so, but would
be a lot more efficient than attempting to connect to a non-existent
mail server at the A record.
I do agree that it would have been really nice if the SMTP fallback
from MX to A records had been deprecated and killed back in the 1980s.
I tried to get RFC 5321 not to add fallback to AAAA but the powers
that be insisted that it was already too late.
I wish it could be deprecated (but still required) now (ie, you MAY just
have an A record to indicate where mail is to be delivered, but you
SHOULD have an MX record instead). That way if we came across an A
record only, we would have a stronger argument for persuading domain
admins to add MX records. Currently some say 'well the standards say
it's OK, so we're not changing anything'.
It could be worth logging how many times we have to fall back to an
A/AAAA record, AND the delivery succeeds - I may have a go at that
ourselves.
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg