On Tue, 2004-02-24 at 12:08, Meng Weng Wong wrote:
On Tue, Feb 24, 2004 at 11:59:48AM -0500, Meng Weng Wong wrote:
|
| Let's find a way to express the desired new functionality in the
| existing syntax.
|
| perhaps scope=mailfrom,helo?
|
if (helo domain has an spf record
AND
spf record indicates scope=...,helo,...
) THEN
honour SPF record for domain
So we want to restrict the use of mail.baschny.de.
mail.baschny.de TXT "v=spf1 scope=mailfrom,helo a -all"
That way, SPF clients that understand "scope=helo" semantics will always
do a lookup on FQDN helo, and if they get back a scope=helo, they will
honour the SPF record. If they do not get a scope=helo, they will
proceed as usual, to check the return-path.
However, that record by itself wouldn't cause any clients to restrict
the use of mail[23456789].baschny.de in helo strings.
They would likely still reject "mail from"s with those nonexistent
domains because of the lack of A records, but domain owners who want to
prevent helo spoofs would have to set up a TXT wildcard above.
Are wildcards the best answer to this?
I've brought this question up before in the general spf context, and
after being reminded of the fact that people tend to reject mail coming
from "mail from" domains with no A records, I withdrew my objection to
the spec's "don't-lookup-parent-domains" requirement.
However...I still have what is perhaps an irrational dislike of wildcard
records. The fact that a "host nonexistent.baschny.de" would no longer
fail with an nxdomain if a wildcard spf txt record exists for it makes
using wildcards seem a bit odd to me.
A scope modifier would require wildcards to come into the picture again.
As one way around having to have dns wildcards, what about spf
wildcards: (Going from the frying pan into the fire here?)
"default_spf_record_for_subdomains=default._spf.baschny.de"
or perhaps a shorter:
"def=default._spf.baschny.de"
So clients could successively query parent domains looking for spf
records with "def" modifiers to cover all the scopes they support.
I would imagine that wildcards would rarely need to be queried for in
actual practice, as legitimate emails would come from domains with real
spf records, and spammers/forgers would tend to avoid domains whose
parent domains effectively say "-all" as a default.
As an aside, I'm not sure if there's a potential hole if
spammers/forgers use the default._spf.example.com domain itself in "mail
from"s or helos. If so, the meaning of "def" could say that the target
has to begin with "-all", which clients would strip before evaluation.
(As a second aside...having separate helo & "mail from" scopes is
vaguely similar to multidimensional scoring. :-) )
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com