On Fri, 18 Jun 2004, Meng Weng Wong wrote:
Use case 2: one domain, many machines
Example.com is a domain with three machines.
One is a webserver, two are mailservers.
All of them are authorized to send mail.
example.com A 192.0.2.1
192.0.2.1 PTR example.com
www.example.com A 192.0.2.1
example.com MX 10 mx10.example.com
mx10.example.com A 192.0.2.10
192.0.2.10 PTR mx10.example.com
example.com MX 11 mx11.example.com
mx11.example.com A 192.0.2.11
192.0.2.11 PTR mx11.example.com
192.0.2.1 sends mail with
HELO example.com
MAIL FROM:<user(_at_)example(_dot_)com>
From: <user(_at_)example(_dot_)com>
192.0.2.10 sends mail with
HELO mx10.example.com
MAIL FROM:<user(_at_)example(_dot_)com>
From: <user(_at_)example(_dot_)com>
192.0.2.11 sends mail with
HELO mx11.example.com
MAIL FROM:<user(_at_)example(_dot_)com>
From: <user(_at_)example(_dot_)com>
Unified SPF asks example.com to publish four SPF
records:
example.com TXT "v=spf1 a mx -all"
www.example.com TXT "v=spf1 a -all"
mx10.example.com TXT "v=spf1 a -all"
mx11.example.com TXT "v=spf1 a -all"
Now can you imagine this being wildcard record? I sure can:
example.com TXT "v=spf1 a mx -all
*.example.com TXT "v=spf1 a -all
And I would like again to point out that MTAMark-like records do not
necessarily require to be part of INADDR tree that so many people somehow
don't like. All that is required is that you check SPF record on the name
you obtain from PTR lookup. And in most normal mail server setup, this
actually will not even require additional lookup as domain would be
same as what you see in HELLO or in Mail-From.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net