spf-discuss
[Top] [All Lists]

Re: Can SPF identify wildcard domain forgery?

2004-08-21 23:46:54
--On Sonntag, August 22, 2004 06:31:28 +0800 AccuSpam <support(_at_)accuspam(_dot_)com> wrote:

My question below boils down to: "is there a syntax for SPF (possibly
the macro language?) which enables "-all" to be excluded from only some
address of a domain?"

Yes, this can be done by the 'exists' mechanism:

v=spf1 exists:%(L).spf.example.com -all"

(With the 'exists' mechanism and a custom DNS server you can do any test
you want to do with the information you have at SMTP time.)

Great!  Please elaborate on the steps a novice would take to configure
all this?  Would it be reasonable for a novice (the millions of personal
domains)?

A novice would not need to do this. For as typical "vanity domain" you
can just include your provider's SPF records so you authorize their mail
servers to send out messages with your domain in the envelope from.

If you want to except certain users from any limitation because they
are using unpredictable mail server (IbC, roaming user), you can do it
this way (use whatever you need to enable your own mail server instead
of the "+ptr"):

example.net             IN SOA ...
                        IN TXT  "v=spf1 +ptr +exists:%{l}.lp._spf.%{d2} -all"
user1.lp._spf           IN A 127.0.0.1

This way, user1(_at_)example(_dot_)net can send via any mail server while other
addresses are checked against being sent via the pubished mail servers.
This should be easy to add to a web based customer interface (specify
localpart, add record to zone data).

Ralf Döblitz