spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: confused !

2004-09-24 07:34:29
from [Scott Kitterman] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Shoaib
Sent: Friday, September 24, 2004 10:24 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] confused !


Hi, I am bit confused about include mechanism.

Suppose I have include:abc.com, and abc.com does not have any spf
record then should I proceed forward or
Stop the processing and make the result unknown.



If abc.com doesn't have an SPF record, then it is an error.

http://spf.pobox.com/spf-draft-200406.txt

4.2 "include"

    include = "include" ":" domain-spec

   The "include" mechanism triggers a recursive SPF query.  The
   domain-spec is expanded as per section 7.  Then a new query is
   launched using the resulting string as the <current-domain>.  The
   <responsible-sender> stays the same.

   "Include" makes it possible for one domain to designate multiple
   administratively independent domains.

   For example, a vanity domain "example.net" might send mail using the
   servers of administratively independent domains example.com and
   example.org.

   Example.net could say

      "v=spf1 include:example.com include:example.org -all".

   That would direct an SPF client to, in effect, search the SPF records
   for example.com and example.org for a "pass" result.  Only if the
   message were not permitted for either of those domains would the
   result be "fail".

   This mechanism matches when the inner, included query result returns
   a pass, and doesn't match when the result is fail, softfail, or
   neutral.  However, if the new query returns none, error, or unknown,
   then processing of the entire SPF query stops immediately and
   returns the error result.

Now returning an error isn't that much different in practice than returning
unknown.  From the same spec:

   There are two error conditions, one temporary and one permanent.

     Error: indicates an error during lookup; an MTA SHOULD reject the
     message using a transient failure code, such as 450.

     Unknown: indicates incomplete processing: an MTA MUST proceed as
     if a domain did not publish SPF data.

...

   If it throws an exception, mechanism processing ends and
   the exception value is returned (either "error"
   indicating a temporary failure, usually DNS-related, or
   "unknown" indicating a syntax error or other permanent
   failure resulting in incomplete processing.)

The problem with returning unknown for an include: is that there is no way
to know if the include: failed because of a transient DNS failure (it's
published, but you didn't get it) or if the included domain has not
published a record.  Eventually, I think they get you to the same place.

Scott Kitterman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • confused !, Shoaib
    • RE: confused !, Scott Kitterman <=
Previous by Date:  Re: Disappointed, yet..not surprised (was Re: Disap pointed), Michael Hammer
Next by Date:  Re: Disappointed, yet..not surprised (was Re: Disap pointed), Chuck Mead
Previous by Thread:  confused !, Shoaib
Next by Thread:  moving on from MARID, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]