Frank Ellermann wrote:
3 - only because it's syntactically possible I'd still like to
know what -include:x / ~include:x / ?include:x really do
if somebody uses it.
"v=spf1 -include:xyz.com +all" changes 'pass' into a 'fail' and changes
'fail', 'softfail', 'neutral' amd 'none' into a 'pass'.
"include" is actually the wrong name for this mechanism because it does not
really include an SPF record. Rather is examines the SPF record and changes
'pass' to 'match'. 'match' is then changed to 'pass', 'fail', 'softfail' or
'neutral' according the the prefix of "include".
There is another problem with "inlude":
Let's assume that example.com uses the servers of xyz.com and abc.com and
therefore has following SPF record:
example.com. TXT "v=spf1 include:xyz.com include:abc.com -all"
Now if xyz.com has following SPF record
xyz.com. TXT "v=spf1 mx ?ptr:dsl.xyz.com -all"
then mail sent from xxx.dsl.xyz.com saying "MAIL FROM:<bob(_at_)xyz(_dot_)com>"
is
accepted but mail sent from xxx.dsl.xyz.com saying "MAIL
FROM:<john(_at_)example(_dot_)com>" is rejected. This is not what the
administrator of
example.com intented.
My desire: "include" should be really an include, the result should be the
result of the included SPF record, and "include" must not have a prefix. If
that cannot be changed anymore, the maybe we should add a "sub:domain-spec"
command.
Roger