It seems that basing SPF on DNS is leading to a lot of little issues that
spin off in many different directions. Is it possible that DNS is just
not the right kind of transport for this kind of information?
Even if the issues with TXT are resolved, or a new RR type is created, or
you hijack some existing types, it's still going to be limited by the
technology. There's only so much that you can unambiguously fit into a
dotted.separator._foo.domain.tld system.
There must be some other ways to convey the same data which don't rely on
DNS. How about a text-based protocol like SMTP that sends the various
details to a designated server which then approves or rejects the request?
You could use a SRV record to specify which host(s) run the server.
I'm talking about something really simple here, along the lines of this
(someone on 1.2.3.4 is trying to send mail as
bogus(_at_)example(_dot_)exploits(_dot_)org):
S: auth.exploits.org server saying hello
C: MODE SMTP
S: -HOST
S: -FROM
S: Mode set to SMTP
C: SET HOST 1.2.3.4
S: Value accepted for HOST
C: SET FROM bogus(_at_)example(_dot_)exploits(_dot_)org
S: Value accepted for FROM
C: DECIDE
S: DENIED TTL=86400
Imagine the usual 2xx/5xx result codes in front of those server responses.
This method allows expansion by adding more possible "SET" values in the
future. It could support PGP keys, some kind of one-time passphrase
scheme, or whatever.
A daemon to handle these requests isn't hard to write. Most of the
complexity comes from implementing your own policy. If your policy is
simple like mine - one valid sender IP address for the whole domain -
then the code is trivial.
Is it really worth the trouble of trying to make this fit into DNS?
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡