In <20040205015742(_dot_)GS1323(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng
Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
Before somebody else says it, I should point out the weakness of a
left-to-right processing scheme like SPF: only one new auth mechanism
can be gradually introduced. We can't handle the semantics of "or".
Agreed.
If a domain wanted to assert that when its users aren't coming from a
known IP range, then its users always either sign mail with smime or
sign mail with domainkeys, it could assert
v=spf1 a mx smime dk -all
But only clients that understood both smime and dk would be able to
fully parse this record. For all other clients the domain might as well
not even publish a record beyond
v=spf1 a mx ?all
Which is why you should use "v=spf1 a mx [-?~]all smime=y dk=y"
-wayne
But I suspect the above "failure modes" are academic. The scenarios are
contrived. I expect that a domain that has to resort to smime as an
authentication mechanism won't be able to do the "a mx" part.
On the contrary, I suspect that desire to use multiple extentions will
be common. Consider:
"v=spf1 a mx ~all smime-done-my-way=blah smime-done-right=barf"
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡