Stefan Engelbert wrote:
In many cases, this will give a timeout, because
http://domainname/ doesn't exist.
OK, but with timeouts we can life. You can have even DNS timeouts.
SPF implementation have to deal anyway with timeouts. Otherwise
you could DOS easily a SPF enabled MTA.
In *most* cases this will give a timeout, since most admins will avoid
using http for SPF because it's chronically unsuited.
>> Also, you would get
many complaints from people that you are hitting their
webserver with a lot of requests, because somebody else is
abusing their e-mail address.
Huch, what about DNS Server? Are u not hitting them? There are even some
old implementations in the wild which u might bring down with a flood of
requests.....
That's what DNS servers are out there for; it's what they're designed
for. I expect people to need to hit my DNS servers for domain and mail
related queries, and they're suitably hardened. Web servers are designed
for a completely different task.
Just web logs
are closer monitored usually by the admins than DNS logs.....
That's almost invariably going to be a false assumption.
A lot of people that I know, responsible for big e-mail
systems, would not put SPF filtering into their systems, if
it contained http lookups on people's webservers.
http lookups would be optional. So every mail operator could choose himself
to enable them or not......
No they wouldn't; you fail to see a key problem here. Any domain that
didn't implement DNS-SPF would then be hit for HTTP-SPF requests.
Effectively you make DNS-SPF compulsory for anyone not wishing to suffer
the HTTP penalty.
This means
that putting http into SPF slows down adoption, and we
wouldn't like that, would we?
No, maybe it even would speed it up if EVERYBODY would be able to publish spf
records on
every lowcost domain....
No, it'd kill it. If you want to implement SPF, take the appropriate
steps to get proper control of your DNS - ask your provider to allow TXT
records to be added by the user. In your particular case it might be
simpler to provide HTTP lookup than DNS (and I strongly suspect you're
forgetting SPF mailserver protection records), but this is going to be
an edge case at best. You might as well tell people that email delivery
should fall back to an HTTP POST request; it's simply not going to be
accepted.
Note also that ALL domains already have DNS, but far fewer of them have
web servers, and even fewer of those have servers at domain.tld (most of
them will be at www.domain.tld). Furthermore you'd need HTTP servers
*on* every machine you wished to protect that way (while DNS servers can
be run centrally), as SPF protects mailservers as well as domains. In my
personal case you'd need over 12 web servers in place of 2 DNS servers
(of which I'd only need to reconfigure the master one for any changes).
So basically, http is not going into SPF because we don't
want it there for a billion reasons.
Who is we? Are u speaking for everyone here?
Pretty much, yes. We've had this discussion before.
> Why dont we wait for other people
to give their personal comments?
Consider mine made. HTTP would provide a useful fallback in very few
cases, and merely provide a needless and heavy demand in the vast
majority of cases.
Wechsler