Stuart D. Gathman wrote:
You are missing the point. SPF is required to check that the PTR records
does match.
Yes, that is important.
The 'ptr' mechanism may be unrealiable, not because there is a fault in the
SPF specifications, but because many do not understand it. So if an
programmer who does not completely understand the 'ptr' mechanism implements
it in a wrong way, then of course it is useless.
** The 'ptr' mechanism matches all IP addresses pointed to by all the A
records in the domain's zone. **
In above statement I intentionally did not mention the PTR records, because
the domain owner has no control over the PTR records that an ISP somewhere
who supports spammers publishes. But the domain owner (or his ISP) has
complete control over all A records in his zone, and that is the point.
The PTR lookup done by the 'ptr:example.com' mechanism is used only to
quickly filter IP addresses whose reverse DNS lookup does not point to the
example.com domain or a subdomain of it.
This said, I agree with Andriy that the 'ptr' mechanism should be replaced
with "exists:%{ir}.mxlist.example.com". Or better replaced with 'ip4'
mechanisms, provided they fit in one SPF record.
Roger