spf-discuss
[Top] [All Lists]

RE: Summary: Current state of SPF

2004-01-30 11:19:55
wayne wrote:
I think that checking things token by token is just plain confusing.

Again, I think implementations of SPF MUST check for all syntax errors
including unknown mechanisms.  It MAY check for things like missing
records in include:, recursion depth limits, etc.

If I recall, the spec went this way so that the policy is akin to
something like a firewall policy.  The packet is passed from rule to
rule until it hits something that matches, or ends up at your default
rule which should match everything.  This way, the tokens are
independent of each other and ordering does matter, and you can define
your policy from the most specific rule (mechanism) to the least
specific.  In this way, if you put mechanisms unlikely to be recognized
at the end, it's possible that the other, more common mechanism at the
beginning (a, mx, etc.) will match first and processing will stop.

Of course this does get confusing when you specify mechanisms in order
yet you may specify modifiers anywhere in the record you want, because
then you must parse the entire record to get at them.  Might it make
more sense to require global modifiers to be at the beginning of the
record?  Then you wouldn't have to parse all the way through the record
to get at the modifiers if the first mechanism  returns a PASS...  

Of course the other option is to have the order not matter at all, and
we check all the mechanisms and if any of them return a PASS that is the
result.  Since we don't have different result codes like PASS:A or
PASS:MX, and we can't really tell which mechanism created the result,
which mechanism created the result really doesn't matter in the end.
However, if we want strict SPF1 parsers to balk on syntax errors or
unrecognized modifiers, we have to parse the entire record anyhow.

---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com