spf-discuss
[Top] [All Lists]

Wildcard DNS entry

2004-09-08 16:01:02
A wildcard entry will not match an existing entry.

Given:
        watkins-home.com.               txt     "v=spf1 ..."
        *.watkins-home.com.     txt     "v=spf1 -all"
        www.watkins.home.com.   a       1.2.3.4

The * entry will disallow email from any host that does not exist.
But won't help with hosts that do exist.
How can I prevent someone claiming to be sending email from:
someone(_at_)www(_dot_)watkins-home(_dot_)com?

Assume I have more than 1 host I need to protect, not just www.

From what I have read, I should give each host a spf record!
This does not seem reasonable for large sites.  For me it is ok.
But if this is true, it seems likely most people don't know to do it.
If I am correct, this needs to be in the spec, or if it is, it needs to be
in the spec twice!  Or made very clear.

Maybe a directive to state that no sub-domains are allowed to send email
"-all".  When MTA finds a sub-domain/host without a spf record, check the
parent domain where you may find a spf record with the "no sub-domains
allowed" directive.

Anyway, am I off my rocker, again?

Thanks,
Guy

Ok, pobox.com knows!

dig txt +short pobox.com.
"v=spf1 mx mx:fallback-relay.%{d} a:webmail.%{d} a:smtp.%{d} a:emerald.%{d}
redirect=%{l1r+}._at_.%{o}._spf.%{d}"

dig txt +short www.pobox.com.
"v=spf1 redirect=pobox.com"

dig txt +short spf.pobox.com.
"v=spf1 -all"

Gmail.com does not!

dig txt +short gmail.com.
"v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all"

dig txt +short www.gmail.com.
gmail.google.com.
gmail.google.akadns.net.