spf-stuff wrote:
bind 8 and 9 limit TXT data to 2KB. In fact my bind seems to barf at the older
256-byte limit.
My main mailer serves some 316 FQ hosts. There is no way to fit all these in
one TXT record.
You mean your mail server hosts 316 domains? If so, you need 316 separate TXT
records, one per domain, rather than one big TXT record.
First, "include:" should be shortened to "i:" as for "a:" to save space. But
consecutive
TXT records can't be used (or at least queried) for a host, and even with just
"i:"
the TXT record can't list the domains the mailer might serve. What to do?
If for a given virtual(ly served) host foo.com I listed in its TXT record the
server it
uses for outbound, that works because I only have to modify all few hundred
zone files,
but TXT records don't get overloaded.
Say I have a virtually-served domain "frog.com" and the server that handles its
inbound
and outbound mail is "mail.green.com".
I don't get the distinction between
frog.com. IN TXT "v=spf1 a ~all"
and
mail.green.com. IN TXT "v=spf1 a mx include:frog.com ~all"
and, as I understand it, I need both anyway.
If you're saying all outbound mail for frog.com goes through mail.green.com
then you need:
frog.com TXT "v=spf1 a:mail.green.com ~all"
If you also want to say that no mail is ever sent with envelope sender domain
mail.green.com then you can also have:
mail.green.com TXT "v=spf1 ~all"
If you have a bunch of domains red.com, brown.com, blue.com and green.com and
all of them send their outbound mail via mail.green.com, you could just use:
green.com TXT "v=spf1 a:mail.green.com ~all"
red.com TXT "v=spf1 redirect=green.com"
blue.com TXT "v=spf1 redirect=green.com"
brown.com TXT "v=spf1 redirect=green.com"
mail.green.com TXT "v=spf1 ~all"
Only one record needs changing if you change the outbound mailer now.
I notice one other counterintuitive thing - evidently bind requires an
explicit label on TXT records,
and does Not inherit the most recent explicit label, as would happen for
A and other records.
frog.com. IN SOA
IN MX mail.green.com. (inherits frog.com.)
IN A 1.2.3.4 (inherits frog.com.)
IN TXT "v=spf1 a ~all" ?? doesn't inherit anything
the TXT record is not served in this case; explicit frog.com. IN TXT "v=spf1 a
~all"
is required. This is a minor nuisance because I think the label on the TXT
record /will/ be inherited,
so one has to take care that the label is re-overridden by name or with
$ORIGIN, depending what
else is going on in the zone file.
This does not happen on my bind nameserver (9.2.3), as I use precisely that
notation:
$ORIGIN city-fan.org.
$TTL 86400 ; Default TTL for records in this zone (1 day)
@ IN SOA gatekeeper.city-fan.org. soa.city-fan.org. (
2004051201 ; serial
90M ; refresh
30M ; retry
2W ; expiry
6H ; minimum TTL
)
NS gatekeeper
NS ns1.secondary.com.
NS ns2.secondary.com.
NS switch.txrx.org.
NS ns1.force9.net.
NS ns2.force9.net.
RP soa.city-fan.org. city-fan.org.
TXT "Paul Howarth +44 (7968) 087 242"
TXT "v=spf1 ptr ip4:212.159.14.0/24
exp=spf-exp.city-fan.org -all"
MX 10 gatekeeper
MX 50 mx.last.plus.net.
spf-exp TXT "Mail from %{s} at %{i} rejected: see
http://www.city-fan.org/spf-reject.html";
...
In the course of all time it makes more sense for a server to authenticate
itself to any peer. That is,
if I'm running SSL/TLS I can make my users authenticate themselves or let them
authenticate me;
but what is needed is for mx1.aol.com to prove to my server that it is in fact
mx1.aol.com, by the
same mechanism, and then DNS fiddling is not required, and this can be done
more naturally than
introducing a separate, foreign protocol.
This is perfectly possible but it needs somebody to specify how to share and
authenticate the required certificates, which to my knowledge nobody has yet done.
And whilst you may be able to satisfy yourself that mx1.aol.com is in fact
mx1.aol.com, that still says nothing about whether mail from user(_at_)green(_dot_)com is
supposed to come from mx1.aol.com or not. That is an entirely separate issue,
one that SPF is intended to address.
Regards, Paul.