On Sun, 2003-10-26 at 08:44, Meng Weng Wong wrote:
On Sun, Oct 26, 2003 at 07:37:21AM -0800, Richard Pitt wrote:
| > I don't think that this would be helpful. In the situation where an
| > organization has their email provider outsourced, the email hosting
provider
| > would probably want to be the one to receive the messages and would likely
| > want to have a single inbox for all such reports. For them to have a
| > mailbox in each of their client's domains would not be likely or
efficient.
| >
| I agree - but you might want to limit the address to that of the DNS
| host domain (since they have control over the DNS to some extent) as
| well as the actual recipient domain.
|
| I expect the reverse on the DNS address would be what to check.
could you guys expand on this a little? i would like to add flexibility
without opening the door to a DDOS.
The party that hosts the DNS in many cases also hosts the MTA. In our
case, we host several hundred domains' DNS services and also their mail
routing via EXIM with an LDAP backend.
The complication is that some (many) of them have DHCP addresses from
their access provider so can't easily (we don't at this time offer
dynamic DNS) route outgoing via us.
But we still host their DNS - so we have to put in SPF records that show
something.
The DNS hosts for all of these customers are our servers - and the
reverse shows them as in our domain - so reports on problems would that
can be fixed by changes to the DNS could/should go to us as well as to
some address in the domain itself.
# whois pacdat.net
Domain servers in listed order:
NS1.FIREPLUG.NET 204.174.19.22
NS2.FIREPLUG.NET 204.174.31.65
# nslookup 204.174.19.22
Non-authoritative answer:
22.19.174.204.in-addr.arpa name = ns1.belcarra.com.
(note the discrepancy is due to a change in company name that is ongoing
- either fireplug.net or belcarra.com will get to the same place at this
time ;)
Hive off the "ns1" and you have belcarra.com - lookup that one for it's
SPF record and send the report there if a flag in the SPF record in DNS
for the customer domain says to do it.
The problem with doing this by default is that many DNS hosts DON'T
themselves look after the actual DNS records - they let the customer do
it (register.com and tucows for examples) - so they don't want to hear
about problems. We have several MTA customers whose DNS is hosted by
register.com for example.
So... you probably should restrict the notice to the domain and
optionally, after checking the reverse on their DNS addresses, to their
DNS hosts (and there actually could be several if they have secondaries
on other ISP's networks)
richard
--
-
Richard C. Pitt Pacific Data Capture
richard(_at_)pacdat(_dot_)net 604-644-9265
http://richard.pacdat.net www.pacdat.net
PGP Fingerprint: FCEF 167D 151B 64C4 3333 57F0 4F18 AF98 9F59 DD73
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡