On Thu, 2004-11-18 at 18:24, Miles Libbey wrote:
Douglas Otis wrote:
Providing an identifier for a machine is a different function than an
identifier for a mailbox-domain. Even mapping these identifiers from
the machine to the mailbox-domain is a challenge. AOL adds two
sub-domains to the root domain, as example. Finding the zone-cut
becomes a factor when even attempting to trace accountable entities.
One can not rely upon a wild-card SPF record, as these are intended to
provide a denial that the label is valid for a mailbox-domain. : (
so the problem is that in HELO web101.mail.yahoo.com, its
hard/impossible to determine that we should look up yahoo.com?
For the moment, assume finding the entity accountable for any DNS record
is easy. (It is not of course.)
SPF is a record that authorizes the sending of mail. Dave Crocker calls
this Path Registration. This authorization is required per the SPF
protocol, but this authorization does not imply the administrator is
accountable for the operation and security of the SMTP client specified
by way of an address within some SPF record.
Groping around for some other record also implies that the HELO-domain
could not be directly authenticated. This authentication is vital.
Again, the SPF record is not about authentication, it is about
authorization. You can't get there from here.
-Doug