Clients are NOT REQUIRED to fall back to parent domains. If a domain
has no SPF record, clients MUST NOT, on their own initiative,
substitute SPF data from a parent domain. For example, if no SPF
record is found for "workstation.example.com", clients MUST NOT
proceed automatically to query "example.com".
I just started implementing SPF, and generally am agreeable with it,
but this is the one where I see a huge whole.
1) Which is it, NOT REQUIRED, meaning not mandatory but allowable, or
MUST NOT, meaning not allowable? From reading the SPF web site and
other document, I'm inclined to believe the meaning is MUST NOT, which
brings me to point 2.
2) Many domains publish a wildcard record for the domain, so that
typos in urls still work. For instace all of the same work:
http://www.britneyspears.com/
http://wwww.britneyspears.com/
http://ww.britneyspears.com/
Thus, there are an infinite number of subdomains of britneyspears.com.
But there is no way in SPF to indicate that they guidance I publish in
an SPF/TXT record applies to all subdomains as well as my master
domains. So if I protect britneyspears.com with the following:
britneyspears.com. 1H IN TXT "v=spf1
ip4:216.166.80.0/24 -all"
All the smarter spammer needs to do is send mail from
joe(_at_)foo(_dot_)britneyspears(_dot_)com, and SPF will return an evaluation of None
instead of Fail.
Am I missing something here?
--
K2 // Karl Kraft // karl(_at_)nfox(_dot_)com
To purchase it is not like spending money, but rather it is an
investment in the future, in a blow against the empire
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.7.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡