Meng Weng Wong wrote:
Perhaps this is a stupid question, but can't you use %{o}?
Does %{o} validate against the Client IP address?
Specifically, if I published "v=spf1 exists:%{o}.sends-mail.exclaimer.net"
wouldn't it be possible for any IP address to spoof my domain if I had an "A"
record listed in the sub-domain?
Or have I missed something about the %{o} macro that is in the spec.. [grabs
spec and furiously reads...] hmmm, I read it that it's the part of the
responsible sender after the '@' character.
Unless there something more fundamental than this, my implementation would
permit any IP address to spoof all the domains listed under the
sends-mail.exclaimer.net domain, whereas a %{p} would authenticate the IP
against the PTR first, and then do the "exists" thus avoiding the spoofing
opportunity if only the spec stated that it should prefer the responsible
domain.
[rushes off and writes these as test cases to prove a point...]
Sorry if this seems like nitpicking but some of my customers are in an
environment where it might be useful to have an SPF policy such as this and
unless I can convince the community to handle this in their implementations,
it's not going to be useful to publish a policy such as this.
-Gary