Shelby wrote:
If you can tell me why the above syntax does not tell the spammer that
"user" is likely one of my legitimate e-mail addresses, then I can say
"yes".
Because there is no way for the spammer to find out that there is a
subdomain user._spf.example.com.
William wrote:
example.com. IN TXT "v=SPF1 +mx
redirect=%{l}._spf.example.com"
*._spf.example.com. IN TXT "v=SPF1 -all"
user._spf.example.com. IN TXT "v=SPF1 ?all"
The following records achieve the same:
example.com. IN TXT "v=spf1 +mx ?exists:%{l}._spf.example.com -all"
user._spf.example.com. IN A 127.0.0.2
Further, I suggest you write "v=spf1" instead of "v=SPF1" because there
might be some SPF implementations where the version string is not
case-insensitive.
Shelby, again: The spammer cannot find out that there is a subdomain
user._spf.example.com. If your name server allows to find out the names of
the subdomains, then it is misconfigured and you should immediatley fix it.
Thanks for mentioning that assumption you were making. I think that is the
point of a discussion list no (to thresh out the assumptions)? It does not
make someone an "Anti-Spam Kook" for asking about those assumptions does it?
However, notwithstanding the DNSSEC case your assumption violates, if I
understand your syntax correctly (excuse me if I do not, no need to flame me as
you did with "Anti-Spam Kook" accusation), then the SPF verifier has to query
the nameserver to ask if a user exists?
If yes, then a spammer can do the same thing. It is not the same as handing
the spammer a list, but it is another way to query for existent addresses,
which has following drawbacks:
(1) It might be more efficient and accurate for spammer than SMTP verification,
or just another method.
(2) It increases the already real risk that SPF, SenderID, and DomainKeys use
of DNS will hammer the DNS network and bring down the internet in general.
Just imagine spammers randomly hammering DNS nameservers to get lists of
existent user subdomains. DNS network is not an area I am knowledgeable in, so
this may be completely solveable. I dunno.