spf-discuss
[Top] [All Lists]

When MX is not present, fall back to A

2003-12-14 11:02:16
On Sun, Dec 14, 2003 at 09:27:57AM -0800, Jon Loeliger wrote:
| 
| So, I thought: Hmm.  It does make some sense to supply SPF records
| for chrome.jdl.com and mail.jdl.com too, and maybe www.jdl.com.

At present, if a domain label has no MX record but it does have an A
record, MTAs will fall back to the A record.

This convention has been grandfathered into the current Internet.
SMTP therefore considers every hostname with an A record a deliverable
domain, even if it has no MX record.

See, for example, Postfix's definition of reject_unknown_sender_domain
at http://www.postfix.org/uce.html#smtpd_sender_restrictions or
Sendmail's accept_unresolvable_domains at
http://www.sendmail.org/m4/features.html#accept_unresolvable_domains

Because everybody falls back to A when MX is absent, even if you protect
an organization-level domain name like example.com, you still have to
protect all the hostnames under it: if workstation.example.com and
WebBrowserInToilet.example.com and InternetVendingMachine.example.com
all have IP addresses, spammers could forge those domains in a sender
address.

This is annoying, but unavoidable.  SPF records will be needed for those
subdomains until the fall-back-to-A convention goes away.

Who wants to invent a time machine to go back to 1982 and tell everyone
"no no no you MUST require MX records for deliverability"?

Now, in the draft's definition of "mx", we can either continue the
broken tradition, or set a new standard.

Continuing the tradition:

   If the <target-name> has no MX records, SPF clients pretend the
   target is its single MX, and perform an A lookup on the <target-name>
   directly.  This behaviour follows generally accepted email practices.

Breaking with tradition:

   If the <target-name> has no MX records, SPF clients MUST NOT pretend
   the target is its single MX, and MUST NOT default to an A lookup on
   the <target-name> directly.  If such behaviour was intended, the
   <target-name> would have specified an "a" declaration instead.

Which do you think would be better, guys?

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡