On Thu, Jun 24, 2004 at 06:57:50AM -0700, william(at)elan.net wrote:
|
| For technical comment, I think it would be good if SPF had scope modifier
| where it could be set which identity (or more then one if necessary) is
| this record for. For example:
|
| v=spf1 id:mailfrom { ip4:192.168.0.1/16 } id:submitter { ip4:192.168.0.20/24 }
| v=spf1 id:mailfrom+submitter ip4:192.168.0.1/16 id:ehlo mx id:all -all
|
| This may possibly be as an operator that changes scope of the identity for
| record that follows to only cover certain specified identity type, if what
| is being verified is of different identity type, that data is ignored
| until another modifier is found that changes the scope back to either all
| or identity type that is wanted.
A macro to represent scope is probably cleaner than a scope modifier.
I want to state up front my assumption that most publishers
will never need to distinguish between scopes: most domains
should be able to simply set-join all the four scopes into a
single record, and apply local policy from there.
That is to say, if the policy for HELO names is
v=spf1 A -all
and the policy for PRA names, if different, is
v=spf1 B -all
the joint policy can be
v=spf1 A B -all
However, if it really is important to distinguish the two,
domain.com v=spf1 redirect=%{scope}._spf.%{d}
helo._spf.domain.com v=spf1 A -all
pra._spf.domain.com v=spf1 B -all
This solution provides the desired functionality of "which
identity?" scoping.
In practice the %{scope} would really be a single character
not chosen yet.