In <003801c47492$a27b8df0$aa1d6bd8(_at_)johnlaptop> "John Keown"
<jdk(_at_)nni(_dot_)com> writes:
The only reason for an unlimited spf record is laziness.
I disagree, there are times when unlimited SPF records are perfectly
ok.
For example, say a company wants to use SPF in a restricted fashion,
but it first needs to gather information about the legitimate usage of
their domain name. They should be able to publish a "tracking" SPF
record that doesn't change the status quo, such as:
@ TXT "v=spf1 +exists:CL.%{i}.FR.%{s}.HE.%{h}.spf.%{d} ?all"
After a while, they may add known good outgoing MTAs, such as:
@ TXT ( "v=spf1 a:mx-out.%{d} include:bulkmailer.com "
"+exists:CL.%{i}.FR.%{s}.HE.%{h}.spf.%{d} ?all" )
They may even want to get rid of the worst sources of forged email by
explicitly using a DNSBL like the CBL, such as:
@ TXT ( "v=spf1 a:mx-out.%{d} include:bulkmailer.com "
"-exists:%{ir}.cbl.abuseat.org "
"+exists:CL.%{i}.FR.%{s}.HE.%{h}.spf.%{d} ?all" )
This would let people to continue to send email from their homes,
hotels or client sites in almost all cases. This would continue to
narrow down which employees still aren't using SMPT AUTH to the
companies MTAs.
How the company proceeds from here is hard to say. The point is that
there are extremely valid reasons to have unlimited SPF records.
I'll add some more: Because it is the domain owner's right to not
participate in SPF.
-wayne