On Sun, Oct 26, 2003 at 02:32:09PM -0600, Phil Howard wrote:
|
| $ORIGIN domain.com.
| @ IN MX 1 mx
| mx IN A 192.0.2.1
| mx IN AAAA f:o:o:b:a:r:b:a or whatever?
|
Excellent. does the IPv4 CIDR concept of 192.168.0.1/16 carry over to IPv6?
You see, SPF already has support for "ip4" and "ip6" mechanisms, but the
"ip6" mechanism needs more work. Also, I am adding CIDR /NN suffixes to
the "A" and "MX" mechanisms, and I am wondering if it would be
appropriate to specify both ip4 and ip6 networks using something like
/24//64 --- where the /24 applies to ipv4 and //64 to ipv6.
Check this out.
------------------------------------------------------------------------
3.1 MX
------------------------------------------------------------------------
Valid syntax:
- mx
- mx:example.com
- mx:example.com/24
- mx/24
- mx//64
If a host is an MX server for example.com, it is also designated to
send mail on behalf of example.com; this mechanism then returns "allow".
SPF clients perform an MX lookup on the provided domain. If no
domain is provided the <current-domain> is used. For each hostname
returned by the MX lookup, proceeding in order of priority, SPF
clients look up the A record for the hostname. If any of the IP
addresses returned by the lookup matches the client IP, this
mechanism matches.
If a <cidr-length> is provided following a slash, the client IP is
sought within the specified CIDR subnet of each A record returned.
Note that the same CIDR subnet range applies to each A record found;
if different cidr-lengths are appropriate to different hosts,
publishers SHOULD use the "ip4" notation.
A single slash denotes an IPv4 CIDR prefix length.
A double slash denotes an IPv6 CIDR prefix length.
3.1.1 Simple Example
"v=spf1 mx default=deny"
If the <current-domain> is example.com, the MX servers for example.com
are resolved.
3.1.2 Example with domain provided
"v=spf1 mx:example.org default=deny"
The MX servers for example.org are resolved instead of example.com.
3.1.3 Multiple MX mechanisms
"v=spf1 mx mx:example.org default=deny"
The MX servers for both example.com and example.org are resolved.
3.1.4 MX mechanisms with CIDR ranges
"v=spf1 mx/24 mx:example.org/24 default=deny"
The MX servers for both example.com and example.org are resolved. If
the client IP falls within any of their class C subnets, this
mechanism matches.
------------------------------------------------------------------------
3.2 A
------------------------------------------------------------------------
Valid syntax:
- a
- a:example.com
- a:example.com/24
- a/24
- a//64
- a:example.com//64
SPF clients perform an A lookup on the provided domain. (If the
connection is IPv6, clients perform an AAAA lookup.) If any of the
addresses returned by the lookup matches the client IP, this
mechanism matches.
If a <cidr-length> is provided following a slash, the client IP is
sought within the specified CIDR subnet of each A record returned.
Note that the same CIDR subnet range applies to each A record found;
if different cidr-lengths are appropriate to different hosts,
publishers SHOULD use the "ip4" notation.
A single slash denotes an IPv4 CIDR prefix length.
A double slash denotes an IPv6 CIDR prefix length.
3.2.1 Simple Example
"v=spf1 a default=deny exp=This is a test of SPF"
Given <current-domain> "example.com", an A lookup might return
192.0.2.1, 192.0.2.2, and 192.0.2.3. If the client IP is 192.0.2.2,
the mechanism matches. If the client IP is not one of those three,
the mechanism does not match.
3.2.2 Explicit Example
"v=spf1 a:example.org default=deny exp=This is a test of SPF"
An A lookup of example.org might return 192.0.2.1, 192.0.2.2, and
192.0.2.3. If the client IP is 192.0.2.10, the mechanism does not
match.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡