-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Gary
Levell
Sent: Monday, June 14, 2004 9:36 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Large address scope problem
I'm sure that there has already been discussion of this topic, but I'm
worried about the ability of domain owners to create records that are in
the simple case
"v=spf1 +all"
And in the more complex case
"v=spf1 +mx/8 ip:1.2.3.4/0 -all"
or any other mechanisms that match large segments of the address space.
I kind of have this thought in the back of my head that if any of the
mechanisms with a (+) modifier represent an address space larger than
say CIDR /16, then my implementation could optionally have the ability
to treat this condition as if the domain did not publish an SPF policy
at all, e.g. returns "unknown".
Does anyone have a better definition of "large segment" or other
concerns about this kind of option?
Thanks,
Gary
One theme that I have seen repeated on this and the related lists is the
idea that SPF results should be deterministic. No matter who does the
check, no matter which implementation is used, the same result should be
produced. I think this is important.
The idea of scope limits for SPF records might be a good one, but I don't
think you should implement it on your own. You ought to implement the
requirements in the spec. This idea should be discussed on the list and
perhaps added to the spec.
Personally, I think it goes to far. I believe that the main purpose of SPF
is to prevent forgery and identify responsible parties for e-mails, not spam
filtering. If someone publishes a record like you've described, then
they've signed up to be responsible. Then we go hunt them down and give
them the fate the spammers deserve (insert local policy here).
Scott