I've already commented that if RIRs consider it to much of an issue with
adding new record into INADDR tree, we have an easy way out by checking
some type of MARID record for corresponding PTR dns name. Currently major
ISPs (like AOL) already require valid PTR record for connecting hosts
and handling of PTR deligations is fairly well understood and documented
by several RFCs.
I've talked about this with Meng and he included the info into unified SPF
framework/proposal (please write that one up that proposal in more
clear text then just online presentation). The only issue I had is that
unified SPF did not provide syntax to delimiter PTR-only authorization
records from some other type of SPF record, which required identity scope
modifier and I think that was proposed as type of macro (although that
would only be of use for redirects, right?).
I do additionally note on the identity scope issue that nunber of identies
is likely to remain rather small. If you consider something other then
macro and at the same time want to keep spf syntax small, then one
modifier prefix symbol + one identify letter (i.e. two symbols) should be
be enough to add this info and not require multiple dns lookups. For
example, lets say $ is a prefix symbol and identity symbols are:
m = envelope mail from, e = ehlo, p = ptr, s = submitter (rfc822 from)
Then spf syntax to use them might be:
v=spf2 $sm?a/24 $p+ip4:192.168.0.0/16 $e+ptr $p~all -all
(note $sm means it applies to both submitter and mail from)
Additionally I think scoping in general, might be usefull. Could use "<"
and ">" for that (maybe something else...), so here is another example:
v=spf2 $sm<a/24 mx> $p<ip:192.168.0.0/16 ~all> $e+ptr -all
---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net