spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TXT Records

2003-11-21 08:04:28
from [Dan Boresjo] [Permanent Link] 
On Friday 21 November 2003 2:20 pm, Marc wrote:

Let's assume group (2) can handle anything we throw at them.


All I'm saying is that I believe that there are a LOT of people that fit
into this category.


If you do not have TXT record capability but do have a web server mapped in 
each domain, then you are group 1. The 'http' mechanism can do the job for 
you.

If you do not have TXT record capability and have some domains that do not 
have a webserver, then you are correct that you do not fit into either of the 
two groups. Here's the situation you would be in:

In the recommended 'default SPF record' I gave, there was an mx mechanism 
prior to the http one. This would mean that you could only send SPF-compliant 
mail via one of the MX hosts for these domains. If there are no MX records, 
you cannot send (or receive) mail at all.

Thinking about it further, the recommended default should be:

"v=spf1 http http:www.%{d} mx default=unknown"

With this default, a lot of small single-hosted sites will be SPF-compliant 
without having to do anything at all. 

I think it is fair to trust the MX for a domain since if the host is trusted 
to receive mail it should be trusted to send too. Where this is not true (ie 
you have untrusted users that can call out on port 25) the admin can specify 
!mx in either an SPF text record or an smtp-spf.txt file.

This leaves a tiny group that may be 'falsely trusted' - domains with no txt 
dns capability, no webserver and untrusted, unrestrained users running 
rampant on an MX host. Even then they can only forge mail from other users in 
the same domain, whilst logged in to the machine. If that's a problem, it 
belongs in the 'blacklist' category, not sender authentication.

- Dan

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.6.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: TXT Records, Jonathan Steinert
Next by Date:  Re: TXT Records, Dan Boresjo
Previous by Thread:  RE: TXT Records, Marc
Next by Thread:  SPF and reputation systems, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]