spf-discuss
[Top] [All Lists]

Re: How to built an SPF record that is split in substrings?

2004-04-06 06:31:34
In <8036904(_at_)pamho(_dot_)net> "Roger Moser" 
<Roger(_dot_)Moser(_at_)pamho(_dot_)net> writes:

Look at the SPF record of tdlc.com:

tdlc.com. 3600 IN TXT (
  "v=spf1"
[snip]
  "-all"
  )

Is that valid or invalid? How show SPF concatenate the strings? Should it
insert spaces? Should it insert a space only if the length of string is not
255?

The SPF spec says how to concatenate the strings.  It should not
insert spaces.

               Should it insert a space only if the length of string is not
255?

Or 127 if they are using djbdns?  Or some other value to make this
work on some other name server?

For those who aren't aware, BIND breaks long strings into 255 byte
substrings, while djbdns breaks at 127 bytes.  This means that there
are valid SPF records out there that are broken into substrings and if
you just insert spaces, you will insert spaces into the middle of
mechanisms and thus causing valid SPF records to break.



Again, this gets back to trying to guess what the correct thing to do
with invalid data should be.  As I see it, we have three choices:

1) Follow the SPF spec and not try to guess.  This will lead to domain
   owners with invalid SPF records getting consistent results, but not
   the results they want.

2) Have the same SPF record mean different things on different SPF
   implementations depending on how the implementation chooses to make
   guesses and which cases to make guesses for.

3) Standardize the guesses so that they can be consistent across the
   SPF implementations.  Of course, if we do that, we are actually
   following the first choice.  We would just be updating the SPF
   spec.


While I can see how it is very tempting to try and help domain owners
out by automatically "correcting" their mistakes, but I think doing so
hurts SPF in the long run.  I think the better way to proceed is to
give domain owners better feedback about their invalid SPF records.
It would be better to email these folks, or put a warning in the
processed email in a noticable place or something.


If you look at the SPF Adoption Roll, the number of invalid SPF
records is staying about the same, while the overall number of SPF
records is growing rapidly.  It doesn't appear to me that, in
practice, publishing valid SPF records is that much of a burden.


-wayne