There has been quite a bit of discussion here about either removing
scopes or allowing some sort of universal or wildcard scope.
I would not support such a concept because it lessens the strength of
what a domain is saying by publishing records. In particular, if a
domain were to publish (making up a syntax...):
example.com. IN A SPF2 "spf2.0/* +mx +a -all"
We have to wonder what this record says. It authorizes a set of hosts
to use the domain "example.com" as part of which identities in mail?
All of them? Including identities that we haven't named a scope for
yet?
I certainly wouldn't publish such a record for my domain, as I don't
know what I'm making such an assertion about. While I might be willing
to believe that the "+mx" and "+a" directives are going to be
reasonable for any such identity (after all, the reference machines I
presumably have control of), I can't make such a statement about
"-all". I don't know that there might be some notion of identity, as
yet undefined, for which I'd need to include other hosts.
While other site owners might be willing to take such risks and publish
such records, the ability to do so lesses the effectiveness for the
whole scheme. If domains are able to make claims like "We didn't know
about that identity check when we published "spf2.0/*" - you can't ding
our reputation based on that check." or " - you can't reject mail that
doesn't pass", it means that the whole scheme is diminished.
In short, when we say "domains authorized the use of identity X by
publishing an SPF record" we do so because we are going to hold them
accountable if the authorization passes, and reject if it fails. And
for those actions to have any force, the declaration of authorization
has to be incontestable.
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com