spf-discuss
[Top] [All Lists]

Re: Question on how things work

2004-06-10 09:45:02
On Wed, 9 Jun 2004, wayne wrote:

In <40C30C10(_dot_)8080805(_at_)whipple(_dot_)org> Weldon Whipple 
<weldon(_at_)whipple(_dot_)org> writes:

Meng Weng Wong wrote:

 mengwong._spf.pobox.com TXT "v=spf1 a:dumbo.pobox.com -all"
    user1._spf.pobox.com TXT "v=spf1 include:earthlink.net ?all"
    user2._spf.pobox.com TXT "v=spf1 include:verizon.net ?all"


Thanks for the explanation! I have implemented the above on the domain
I mentioned in my note. I notice in the above that mengwong... ends in
-all, and user1... and user2... end in ?all. Is there a way of saying
the following: "Everyone else (not specifically mentioned) should be
'-all'" --kind of a wildcard that eliminates all other addresses in
pobox.com?

I'm pretty sure that this will work:

*._spf.pobox.com TXT "v=spf1 -all"


In waiting for a response I stumbled onto the following URL, which gives a
somewhat different explanation (if I understand it correctly), implying
that the wildcard is unnecessary. Here is the URL:

http://spf.pobox.com/mechanisms.html#redirect

It gives the example:

"v=spf1 redirect=example.net"

then says:

<quote>
Suppose example.net's SPF record were "v=spf1 a -all".
Look up the A record for example.net. If it matches 1.2.3.4, return allow.
If there is no match, the exec fails to match, and the -all value is used.
</quote>

The last line *could* be interpreted as follows:

Say my domain has the following spf record:

whipple.org     86400 IN        TXT "v=spf1 redirect={1}._spf.whipple.org"

and I have additional records for the following (only)

fred._spf.whipple.org    86400 IN   TXT "v=spf1 ip4:192.168.234.5 -all"
mel._spf.whipple.org     86400 IN   TXT "v=spf1 ip4:192.168.234.6 -all"
shtinky._spf.whipple.org 86400 IN   TXT "v=spf1 ip4:192.168.234.7 -all"

There is *not* one for (say):

elvis._spf.whipple.org   86400 IN   TXT "v=spf1 ip4:192.168.234.8 -all"

If someone sends e-mail purportedly from elvis(_at_)whipple(_dot_)org, "If 
there is
no match, the exec fails to match, and the -all value is used" (quoting
from the URL given earlier).

That is exactly the way I would want it to behave, I think... (?)

(P.S. I realize that the above IP address are private ones. In a real
implementation, they would be public ...)

-- 
Weldon Whipple
weldon(_at_)whipple(_dot_)org


<Prev in Thread] Current Thread [Next in Thread>