spf-discuss
[Top] [All Lists]

Re: RE : inherited SPF record

2004-08-05 06:01:35
Le jeudi 5 Août 2004 14:45, Bourque Daniel a écrit :
Stupid question but:
(because some of my domains have hundreds of thousands of hosts)

Are you talking SMTP host that can actively send e-mail on the internet?

Not necessarily. You host doesn't need to actually send e-mail for spammers 
being able to forge MAIL FROM on its name.

Suppose you have one host called "host318.mydomain.com" that never sends any 
(direct) mail by itself, but has a DNS "A" record.

Spammers _can_ send forged MAIL FROM: 
<dummy(_at_)host318(_dot_)mydomain(_dot_)com> and this 
will be generally accepted by receiving party, as long as 
host318.mydomain.com resolves in DNS to an "A" or "MX" entry.

If you want SPF to block such forgeries, you *must* have an SPF record for 
host318.mydomain.com, either stating that it should'nt appear at all in a 
MAIL FROM: RH part, i.e. "v=spf1 -all", or use the same SPF record as your 
higher level domain (stating ougoing mail bearing this RH part should go thru 
your legitimate mail servers), possibly by redirecting with ans SPF record 
such as "v=spf1 redirect=mydomain.com".

HTH.

-- 
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E


<Prev in Thread] Current Thread [Next in Thread>