On Mon, 2005-04-04 at 09:59 -0700, David MacQuigg wrote:
Hello, I just came from the SPF camp. Please don't shoot me. :>) I'm not
an SPF advocate. I'm an electronic design engineer hoping to find some way
to help solve the problems with email authentication.
I really like the way CSV avoids all the complexity in SPF. I'm puzzled,
however, as to why you chose SRV records instead of a free-format TXT. As
I understand it, this limits you to authorizing just one or a few
servers. This seems like the opposite extreme from SPF.
Why not have one query produce a short list of IP blocks that are
authorized to act as mail servers for a domain? Then even a huge domain
like rr.com could give you hundreds of authorized IP servers in one
cacheable record.
For example, to specify 6 blocks of 170 IPs each and 5 blocks of 4 IPs each
you might have a string like:
The SRV record does not require the administrator to enter any address
whatsoever. SRV records are strictly name based associations. This
also ensures only a single DNS lookup is needed to resolve the
authorization and authentication associated with the SMTP client's
connection. This simplifies the maintenance of these records, and
lowers the risk of publication error.
This SRV record, used in conjunction with a reputation service, may
provide DoS protections. SPF, for example, requires more than one
hundred DNS lookups, as a minimum, to ensure all clients that may send
from a particular domain can be resolved. Rather than retaining just an
manually generated address listing, (which is error prone) SPF has opted
to extend the number of queries to allow references by name for specific
clients. SRV already provides this name based reference feature.
The use of the SRV record avoids complexity by keeping within the
designed scale of DNS by attempting to only resolve the client
associated with the HELO, rather than answer a much more expansive (and
impossible) question regarding all the possible clients that send a
specific mailbox-domain.
-Doug