I'm been watching SPF for a while (and dmp even longer), and recently
decided to become a SPF participant; forgive any expressed ignorance.
after reading http://spf.pobox.com/dns.html (creating an SPF record for
every machine in my domain), I started looking for other solutions (because
some of my domains have hundreds of thousands of hosts). I've been
searching the archives for wildcard SPF records and their implementation,
and ran across
http://open.nlnetlabs.nl/pipermail/nsd-users/2004-January/000167.html, which
answered that question.
I'm wondering if implementations of SPF parsers should traverse up the tree
until it finds a SPF record. Convincing all domain owners to add an SPF
record to each of their domains is quite a task, but asking each domain
owner to add a SPF record to each host in each domain is futile.
one disadvantage I see is that if we fall through all the way to com (or any
other top level domain), we'd be at the mercy of a possibly shady party. On
the other hand, this could motivate domain owners to set up their own SPF
records.
another disadvantage could be a DoS, by using a domain name with hundreds of
levels, even given the size limits of RFC2821 4.5.3.1.
checking root would be pointless, and should probably be coded around.
I'd imagine that most administrators would want their SPF record to be
inherited, so I'd propose a "do not inherit" flag, and allow SPF records to
be inherited.
if we added "v=spf1 -all" to example.com, and we got mail from
user(_at_)www(_dot_)bar(_dot_)example(_dot_)com,
no SPF record for www.bar.example.com.
no SPF record for bar.example.com.
SPF record found for example.com -> check if inheritness is explicitly
denied
inheritness allowed, use this SPF record.
I suppose if we traversed up the tree, and found a non-inheritable SPF
record, we'd stop right there, and say there's no SPF record for
www.bar.example.com.
I'm assuming someone thought this was a bad idea, or else I'd already be
implemented... thoughts ?
Jeremy Kister
http://jeremy.kister.net/