Eliot Lear wrote:
I prefer Option 3.5:
Publish a record at the zone level.
For SPF that option was rejected by Paul Vixie:
<http://www.ops.ietf.org/lists/namedroppers/namedroppers.2005/msg00049.html>
After that discussion the "zone cut" idea published
in some SPF drafts was removed again, and RFC 4408
works without it. For SPF that's no big issue:
Mail claiming to be "mail from foo(_at_)bar(_dot_)example(_dot_)org"
can be directly rejected (without any SPF magic),
if the domain bar.example.org has no MX and no IP.
Likewise a forged EHLO bar.example.org trying to
send bounces (= empty reverse path) won't survive
modest plausibility checks by a server.
In other words the owner of example.org can ignore
all bogus subdomains like bar.example.org wrt SPF:
Receivers could anyway reject all "mail from" these
constructs. If they accept the spam and later try
to bounce it this won't work because there's no MX
and no IP. Smart spammers know this and won't try
to abuse such subdomains, unless they have "better"
reasons to ignore "call back verification" issues.
But for SSP the same reasoning might fail miserably,
because DKIM isn't about "good" vs. "bad" bounces.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html