Meng Weng Wong wrote:
Perhaps this is a stupid question, but can't you use %{o}?
Actually, after thinking about it, an "exists:" macro without an %{i} or %{p}
is an unsafe mechanism to use.
All the possible domain permutations from a completely static one through to
a fully dynamic one are spoofable because the client IP is not involved in
the expansion of the domain macro.
So, for our product, in addition to detection (and optional rejection) of
messages from domains who publish "+all" and "ip4", "ip6", "a" & "mx"
mechanisms with large CIDR blocks, it looks like I need to detect "exists"
that don't contain %{i} or %{p} macros. Or indeed %{i/p<n>} where n<3.
Inevitably, spammers are just going to move from no policy to "v=spf1 +all"
through "v=spf1 +a/0 -all" through to "v=spf1 exists:spammerparadise.com
-all" and finally to something like "v=spf1 exists:{%i1}.spammerparadise.com
-all".
-Gary