spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Scope macro, alternative syntaxes, and use cases

2004-07-05 15:23:43
from [Mark Lentczner] [Permanent Link]
Several people have brought up questions about limiting the use of a domain name to different sets of hosts based on scopes. For example, william(at)elan.net wrote: 


My understanding is that scope parameter type of macro. How can this be
used if I want to have different list of ips (or in general different set 
of records) for different identities, i.e. for ehlo valid ip are
192.168.1.0/24 while for mail-from its entire 192.168.0.0/16 ...


Meng replied with this example:
    mydomain.com                "v=spf1 redirect=%{e}._spf.%{d}"
    helo._spf.mydomain.com      "v=spf1 ip4:192.168.1.0/24 -all"
    mail-from._spf.mydomain.com "v=spf1 ip4:192.168.0.0/16 -all"

And, as was pointed out, this requires two TXT records to do the job.
Several alternative syntaxes have been proposed that would make such a thing simpler, and fit in only one record. Indeed, we thought of some too. We rejected them because, for better or worse, SPF is actually deployed and we are wary of changes to the syntax that will break existing parsers. Success has its downsides!
Along these lines, I'm looking for a reasonable example that motivates such a situation. The above example is too contrived: Really if you trust all of 192.168.0.0/16 to use your domain name in MAIL-FROM, then surely you trust any such host to use it in HELO. Guarding against your own errors in configuring your own machines isn't good enough for my purposes.
I'm being a stickler here because people who read internet drafts are vultures - if they can find one tiny thing wrong they'll use it to dismiss the whole thing (this is also the reason why we've broken it up into so many drafts!) When I say "most domains can use just one record, and the answer is the same for all scopes" I have to be right, and when I say "here is where you need records per scope" I have to right too. Also, eventually, real sys. admins. will read this document, and the examples have to be realistic - since they will tend to simply cut-n-paste. 

        - Mark

Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unified SPF works in progress now in alpha, Graham Murray
Next by Date:  Emails to SPF domains, Reuben Olson
Previous by Thread:  Re: RCPT TO: rejecting, John A. Martin
Next by Thread:  Re: Scope macro, alternative syntaxes, and use cases, Roger Moser
Indexes:  [Date] [Thread] [Top] [All Lists]