Roger Moser wrote:
It's not clear to me how much of this algorithm should apply to the %{p}
macro, or more to the point, I'm unsure of the usefulness of the %{p}
macro
when using the first of the validated domains.
If the domain owner knows that the first PTR entry has nothing to do with
his domain, then he should simply not use the %{p} macro.
But then isn't the %{p} macro is virtually useless to anyone who does not
have an IP dedicated to their MTA, and AFAIK the PTR records are not
guarateed to be returned from the server in the order they are specified, so
why is the first one so important? More to the point, why wouldn't the SPF
client want to 'prefer' the responsible domain?
Ok, so here is the (contrived) scenario:
I have a block of IP addresses which front a load-balanced server farm
hosting hundreds of domains, some of which send email and some of which
don't. I also control the DNS.
I don't really want to:
* specify an individual SPF policy for each domain that sends email - I'm
basically lazy (and forgetful)
* use the "A" mechanism, this would resolve all my hosts and compromise
the domains that didn't send email.
* use the "MX" mechanism - not all the hosts that send email are MX's
* use the "IP4" mechanism - not all domains on these IPs send email.
* use the "PTR" mechanism - all the hosts on the IPs have PTR records so
they could all potentially send mail - but they don't
What I want to specify is something like "v=spf1
exists:%{pr}.sends-email.exclaimer.net -all" as my policy in the domain "*"
on my DNS server.
This means that all the domains that I host will get an SPF policy document
so they won't be rejected out-of-hand by MTAs that enforce a "must publish
SPF" policy, it also means that unless I specifically create the A record,
they will be rejected by SPF conformant MTAs.
It also means that I don't have to touch this SPF policy in future for any
IP's that I might add to the load-balancer, hosts that I might add to the
server farm, or MX's that I add provided that all my hosts that send email
have the appropriate PTR record setup and also have an "A" record in the
subdomain sends-email.exclaimer.net if they do indeed send email.
I admit that I'm stretching trying to come up with the scenario, and that
there may be other solutions, but IMHO this is as valid as any other policy
that I've seen, and for the sake of a simple change in the spec, would work
for this scenario.
-Gary