Dean Gibson wrote:
mailpen.net. 60 TXT "v=spf1 mx +ptr:verizon.net -all"
This test site not only validated a hypothetical mail sent from
206.46.170.106 (out006pub.verizon.net), it also validated mail sent from
4.40.2.214 (evrtwa1-ar16-4-40-002-214.evrtwa1.dsl-verizon.net).
This is a bug in the SPF implementation that is used.
Section 4.6 of the SPF specification says:
This mechanism matches if the <target-name> is an ancestor of the
<sending-host>, or if the <target-name> and the <sending-host> are
the same. For example: "mail.example.com" is within the domain
"example.com", but "mail.bad-example.com" is not. If a validated
hostname is the <target-name>, a match results.
Therefore 4.40.2.214 must fail.
So, which is the correct way to specify that a valid sender may end in
"verizon.net" but not "dsl-verizon.net"?
mailpen.net did it correctly: "v=spf1 mx +ptr:verizon.net -all"
(Now they have: "v=spf1 +mx ?ptr:verizon.net -all")
Roger