On 09/10/2013 01:39 PM, Murray S. Kucherawy wrote:
Hi Patrik,
On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <paf(_at_)frobbit(_dot_)se
<mailto:paf(_at_)frobbit(_dot_)se>> wrote:
What we did look at was first of all every query for an MX
resource record. Then we look at +/-1 second from the timestamp of
that MX query for TXT and/or SPF record for the same owner. We
draw the conclusion that if there is a query for an MX record, and
then either TXT or SPF (or both) within the approximately same
timespan, then they are related queries.
I'm not sure that's a valid conclusion. Since MX is needed only for a
sending system, a receiving system doing an SPF check of either type
has no reason to query for MX. The exception to this might be a
heuristic check to see if the domain in the MAIL FROM has MX or A
published such that a reply appears to be possible, but I wouldn't
expect a strong correlation in your data.
Well, if the TXT/SPF query precedes the MX query (so the case '-1
second' of the '+/-1 second' described by Patrik) it might indicate an
SPF record which includes an mx mechanism. In that case the queries are
related.
/rolf