On Tue, 1 Jun 2004 list+spf-discuss(_at_)doeblitz(_dot_)net wrote:
I do not belive that there is a way to make any kind of specification truly
extensible, including extension of semantics. And without the semantics you
don't need syntactic extensibility.
The existing SPFv1 specification is semantically extensible in any way
desired by the domain publisher via the 'exists' mechanism. The only
limitation is on which data items can be obtained from the mail recipient MTA
via macros. Given unlimited semantic extensibility - there is no need for
syntactic extensibility.
There is actually no need for any mechanism other than exists. The other
mechanisms exist only as an optimization for common checks which can be safely
performed on the receiving MTA without consulting the sender domain.
Each additional feature to be executed on the receiving MTA raises the
risk that the language may become too powerful and open a security hole
or potential DOS attack.
If the receiving MTA trusts the DNS server enough to use crypto keys and
such that it might provide, it can trust any SPF decisions it makes via exists.
An ISP could publish a single generic SPF record for all domains and
vanity domains it maintains. The generic SPF record would contain 1 to
3 'exists' queries (depending on whether you want the policy engine to
be able to return neutral and/or softfail in addition to pass/fail). All
sender policies would then be interpreted by the DNS responder using whatever
syntax or language the sender so desires - be it XML, .NET, VB, Python, Java,
Scheme, or what have you.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.