Graham Murray wrote:
<Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com> writes:
Why do you have an SPF record for every machine in your domain? Why
not just do v=spf1 ptr -all
Because if your domain is example.com and you have
example.com. TXT "v=spf1 ptr -all"
host.example.com. A 10.1.2.3.4
Then if mail is sent with a MAIL_FROM of host.example.com the
receiving system will perform a TXT lookup for 'host.example.com.' and
will not receive the SPF record for example.com. Therefore an SPF
record has to be published for every host which has an 'A', 'AAAA' or
MX record.
I see... so the two issues are
(1) How do I make sure someone unauthorized doesn't send mail as
machine.example.com
(2) How do I make sure machine.example.com can send it's own undeliverable
reports
Wouldn't something like this work for both issues, without requiring O(n)
records?
*.example.com. TXT "v=spf1 ptr -all"
host.example.com. A 10.1.2.3.4
Assuming I'm authoritative for the 10.1.2.3.* zone (to continue the example),
and further assuming I have a 4.3.2.1.10.in-addr.arpa PTR record to
host.example.com, this should solve (2). (1) is still somewhat complicated by
the notion that a malignant server owner can set up his reverse DNS to tie into
his email software... so that he can return what the SPF querying agent wants
to here... but it should suffice to at least make life more complicated for
most malignant servers.
Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com
805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"