On Sun, 4 Jul 2004, Meng Weng Wong wrote:
On Sun, Jul 04, 2004 at 01:39:48AM -0700, william(at)elan.net wrote:
|
| My understanding is that scope parameter type of macro. How can this be
| used if I want to have different list of ips (or in general different set
| of records) for different identities, i.e. for ehlo valid ip are
| 192.168.1.0/24 while for mail-from its entire 192.168.0.0/16 and
| I want to represent this as one SPF record. Please give an example.
mydomain.com "v=spf1 redirect=%{e}._spf.%{d}"
helo._spf.mydomain.com "v=spf1 ip4:192.168.1.0/24 -all"
mail-from._spf.mydomain.com "v=spf1 ip4:192.168.0.0/16 -all"
Thank you for this example. However I was asking about "one SPF record"
and this appears to be 3 requirying at least two dns lookups. Considering
how many dns lookups would be necessary for unified SPF approach, doubling
that number is not the way to do it, unless SPF record for each type of
mail identity is by itself too large requiring separation into separate
dns records.
My understanding is that currently there is no way to do directly specify
scope as part of spf record. I think this is a weakness in specification
in light of unified SPF approach. And since we're considering such large
processing change as unified spf, I think doing some changes to spf syntax
to provide for direct specification of scope is an acceptable advancement
of the protocol.
My preference would be to minimize the size of the record and for that I
believe its better to assign each mail identify one letter, such as "m"
for "mail-from", "p" for "ptr", "h" for "hello" and "s" for submiter/pra
This letter (or multiple ones) can be prefixed before spf mechanisms
followed by "+", "-", "~", "?" (one of them required when scoping prefix
is being used). In such a case an increase in size of record is minimum
and not having record present maybe considerd to be either equivalent to
spf-classic "mail-from" identify or possibly equivalent to "all" (or
otherwise we would need special prefix to signify "all", like say "*").
In such a case an example I asked for could be represented as:
mydomain.com "v=spf1 h+ip4:192.168.1.0/24 m+ip4:192.168.0.0/16 -all"
And an example of record for two identifies is for example:
mydomain.com "v=spf1 sm+ip4:192.168.16.0/19 ph+ip4:192.168.20.0/24 -all"
What do you think?
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net