The suggestion that SSP would fail if a domain doesn't have at least
one of MX, A, or AAAA (perhaps with intervening CNAMEs) is intriguing,
but it would have the effect of adding the same condition to RFC 821
or 2821 since SSP users would thereby decree such mail to be
undeliverable. ...
I'm not suggesting SSP fails, just that providing an SSP for non-existing
domains is not a requirement. If the domain doesn't exist, then SSP can say
nothing either way. It's outside the scope of this protocol.
One could regard this, potentially, as a gap in the protection (such
as it is, let's not argue that again) provided by SSP, but I think
non-existence of a domain is reason enough to be suspicious.
No need to argue, it's obvious that it's a gap.
We have now descended to the level of protocol design by winking and
nudging. It is quite reasonable to reject mail from non-replyable
senders, for any definition of sender you want. It would be a fine
change to 2821 and 2822 to say so. But that is not what they say now.
I hope that it is a given that any proposed extension to Internet mail
has to be opt-in, that is, if senders or receivers don't implement it,
they continue to operate the way they always have. But what you're
saying to recipients is that if you want to get the benefits of SSP,
wink wink nudge nudge, you might want to make this other change to
your SMTP implementation.
If SSP requires a change to SMTP, which is what you've been dancing
around, please say so directly.
But it occurs to me that even in the unlikely event that 2821 were
updated to tell people to reject non-replyable sending domains, it
still wouldn't make it possible for SSP to handle subdomains. There
aren't a whole lot of DNS wildcards in the wild, but one of the few
places where they work reasonably well is with MX records. (Two
actual applications are for the obsolescent sendmail setup that puts
the host name into the return address, e.g. mail from joe(_at_)example(_dot_)com
comes from joe(_at_)hostN(_dot_)example(_dot_)com, and subaddresses baked into
the
domain name, where you can write joe-sub(_at_)example(_dot_)com as
sub(_at_)joe(_dot_)example(_dot_)com(_dot_)) If you have a wildcard MX, or for
that matter a
wildcard A, there's no way to cover its names with a prefixed record
such as SSP.
So I guess that in the requirements we should add:
Bad guys MUST NOT use subdomains of domains that publish SSP, since
that will trivially defeat whatever it is that it does..
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html