--Ted Hardie <hardie(_at_)qualcomm(_dot_)com> wrote:
At 8:25 AM -0700 05/19/2004, Hallam-Baker, Phillip wrote:
Why would we use a wildcard?
Possibly to say that no valid email would be emitted from subdomains?
For example, if someone forged using the subdomain techsupport.example.com
where example.com does not use subdomains of example.com, a query to
_spf.techsupport.example.com would likely return no records.
Agreed. To add to what Ted wrote: we have a few factors to deal with -- we
probably don't need to get into discussing the details of these but we
should be aware of them. (In other words, I'm not saying wildcards are a
hard/fast requirement, I'm just saying I don't want to take them off the
table *yet*)
1. If no MX exists, mailers fall back to A. So if www.example.com is a web
server, there's no easy way to tell if mail(_at_)www(_dot_)example(_dot_)com is valid.
2. The "inheritance" of marid records is not clear. If there is no record
for www.example.com, we might want to fall back to example.com... but if
there is no record for demon.co.uk we would NOT want to fall back to co.uk.
Figuring out where a subdomain splits into different ownership is not
trivial. The only way to be 100% accurate is to lookup the domain in
question ONLY and not walk up the tree. (We may decide that some level of
inheritance is desired but we should do so very carefully... Not crossing
an SOA boundary might be a good compromise)
3. Any site that has a wildcard A record or wildcard MX record MAY want a
wildcard LMAP record as well. Even if inheritance is sorted out, they may
want the policy to be different for *.example.com and example.com.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>