A domain MUST NOT return multiple "v=spf1" records for a given query.
If more than one "v=spf1" record is returned, this constitutes a
syntax error and the result becomes "unknown".
[[[ I don't think we should say here that future versions of spf won't
allow multiline responses.
Well - lack of DNS ordering makes this highly unlikely...
]]]
Why is the lack of DNS ordering such a problem? MX records seem
to work OK without ordering by including the priority (PREFERENCE)
as part of the RDATA format.
Something like "pri=" could be used to wedge the concept into a TXT RR.
(a lack of "pri=" being the equivalent of "pri=0")
So you could evaluate each record in order (lowest first) until you
explicitly match a pass or fail (or softfail) by using "unknown" to drop
through to the next record.
foo.example.com. IN TXT "v=spf1 pri=10 +mx"
foo.example.com. IN TXT "v=spf1 pri=30 +ip4:10.2.0.0/24 -all"
foo.example.com. IN TXT "v=spf1 pri=20 +ip4:10.1.0.0/24"
This is closer to the way typical network filtering rules operate, and
would make the more complex policies easier to manage.
(For example allowing lower priority records to be dynamically
added/removed as a result of some automated/semi-automated process?)
--
Lee Maguire <lee(_at_)hexkey(_dot_)co(_dot_)uk>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.6.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡