Greg Connor wrote:
I wonder... have we inadvertenly hit on something that might address
forwarding without requiring the middle agent to use SRS? The combination
of SES and %{l} is not as foolproof as actually checking the IP, and you
would need a rather specialized DNS server to understand SES and rate
limiting... but it is possible to construct a signing system with SES and
SPF, and that would create a solution that puts the cost burden on the
sender, not the forwarder.
With the current SPF specifications that works only is you run the
specialized DNS on all name server machines, because it is not guaranteed
that the SPF client contacts your primary name server.
For those domains where the secondary name servers get the data via zones
transfers, it should be possible to specify what name server should be
contacted. For example:
v=spf1 a mx
exists:%{l}(_dot_)ses(_dot_)example(_dot_)com(_at_)ns1(_dot_)example(_dot_)com
The SPF client would then first check if ns1.example.com is amongst the name
servers of example.com (to prevent DOS attacks on a third party victim) and
then check at ns1.example.com if localpart.ses.example.com has an A record.
Roger