spf-discuss
[Top] [All Lists]

SV: Publishing of SPF Records

2004-04-15 05:59:35
I assume that you would like, that the SPF specification is extended with:

"If DNS lookup fails, try to look up http://domainname/spf.txt";

In many cases, this will give a timeout, because http://domainname/ doesn't 
exist. If your mailserver receives a million smtp requests a day, you would 
have to make a million http lookups a day, which means that you might have to 
buy more servers to handle the load. Also, you would get many complaints from 
people that you are hitting their webserver with a lot of requests, because 
somebody else is abusing their e-mail address. Basically you would get 
complaints because you implemented SPF. A denial of service attack on a 
webserver would also get easier: Write a virus where the sender address is 
always using the same domain name... This would make mailservers all over the 
world trash the webserver.

A lot of people that I know, responsible for big e-mail systems, would not put 
SPF filtering into their systems, if it contained http lookups on people's 
webservers. This means that putting http into SPF slows down adoption, and we 
wouldn't like that, would we?

So basically, http is not going into SPF because we don't want it there for a 
billion reasons.

Lars.

-----Oprindelig meddelelse-----
Fra: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com på vegne af Stefan 
Engelbert
Sendt: to 15-04-2004 14:25
Til: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Emne: RE: [spf-discuss] Publishing of SPF Records
 
But why would it kill SPF? If I own domain abc.com I will be the only one who 
can create http://abc.com/spf.txt
so how can somebody else provide SPF functionallity to my abc.com domain? 


<Prev in Thread] Current Thread [Next in Thread>