From: Mark Lentczner
Sent: Thursday, July 08, 2004 3:20 PM
<...>
The more restrictive set above says: "pamho.net" is only accountable if
you see it in MAIL-FROM or PRA from machine 81.221.18.146, and
"mail.pamho.net" is only accountable if you see it in HELO from
81.221.18.146.
Not being willing to take accountability for the cross-cases
("pamho.net" in HELO or "mail.pamho.net" in MAIL-FROM or PRA), which
are never going to be seen, doesn't really do any better to protect
your domain names and reputation.
It could happen in spam, but not in legitimate email. That's what the
domain owner wants to say and that does give him more protection. How can
he make that statement?
Using exists mechanisms with macros as in Meng's original example adds to
the recursion depth of DNS queries and doesn't help our case at all. It
already takes too many DNS queries to resolve an SPF record. A position
dependent scope modifier (reads left to right, just like regular language)
gives us a huge amount of extensibility and will allow you to do many things
_without_ modifying the language in the future. It also makes the record
clearer to the average domain owner. The macro thingy with three TXT
records is not exactly transparent to non-experts. Add more records for
more scopes and you've got something only a Forth addict could love.
<...>
Please remember - I respect your concern for how you wish to make SPF
statements, and indeed you can using the %{e} macro. We are only
trying to gather evidence to see if it is worth changing the syntax in
a bigger way than adding another macro letter.
Please see the above on the exists mechanism w/macros. At this point in
time, I believe it is more important that we have the language be extensible
and easy to read. Avoiding making changes in this direction simply because
the existing drafts and parsers don't do it is not a good enough reason.
The draft is _preliminary_ and so are all implementations. This is not the
time to set the current syntax in stone, which will only prevent ordinary
domain owners from making anything but trivial policy statements.
For a more concrete example, how would I cause the domain for SPF record
query to be the MAIL FROM: domain. I don't want SUBMITTER and I absolutely
don't want PRA, I want the return-path domain. As this is a simple request,
we should be able to do it in one text record and it should be readable by
non-experts.
--
Seth Goodman