In <110066000(_dot_)1079909672(_at_)[10(_dot_)12(_dot_)1(_dot_)18]> Greg Connor
<gconnor(_at_)nekodojo(_dot_)org> writes:
I am going to stick with the opinion that "create a lot of SPF
records, as many as you have MX or A now" is still the best way. If I
HAD to come up with a solution to make one SPF record cover a whole
domain, I would probably suggest something like:
[snip]
Yes, this is the approach I have advocated. What you described is
almost the same as what the res_findzonecut() function does. It is
basically the same algorithm that is used for DNSSEC and what is used
internally in Bind. The only major different that I noted is that SOA
records are, sadly, optional, so you may be forced to walk up the DNS
tree until you find authorative nameservers. (Which, again, is what
Bind does.)
3a. If SPF exists for the same label as the SOA, honor it if it says
"match_subdomains=yes"
Personally, I would tend to say that this algorithm should be done
*unless* there is some modifier that says not to. In the vast
majority of cases, this is want people will want to do, and so it
makes sense to make it the default.
I am not 100% sure about the extra qualifier "match_subdomains=yes"
BUT it is is a heck of a lot safer. If the SPF record at the SOA
level is assumed to apply to all subdomains, then the rules I might
publish for demon.co.uk would probably affect gconnor.demon.co.uk also
-- you would have to put in SPF for all the exceptions and then we're
back where we started almost.
If you don't want to put in all the exceptions, just start your SPF
record with "include:_spf_ok.%{d}". If there isn't an SPF record at
_spf_ok.gconnor.demon.co.uk, then the SPF check will return Unknown.
-wayne