Greg Hewgill wrote:
On Wed, Oct 06, 2004 at 12:57:54PM +0000, Mark wrote:
Oh? That is quite a new interpretation. In my understanding of SPF,
in the above case, an SPF lookup should ONLY be done on
"au01.mta.mycompany.myisp.au.com". Certainly no traversing "up" the
tree, to try and find other SPF records. The SPF record for
"somebody.example.com" may be entirely different from "example.com"
itself, or even be totally absent. And that is intentional.
If "somebody.example.com" has its own SPF record, then use that. But
if not, and there is no SOA for "somebody.example.com", then step back
one level and look for an SPF record at "example.com". If there is one
present, use that.
Which is exactly what I believe should not be done.
If not, and there is an SOA record at "example.com",
then stop looking for more SPF records.
This idea was prompted by noticing this morning that "buy.com"
publishes an SPF record, but correspondence with their customer
service department comes from "customerservice.buy.com" which
has no SPF record at all.
"independentclientof.buy.com" may have its own SPF policy, or none at all.
To assume that the SPF record for "buy.com" applies to them as well, is
questionable. And often pointless, too. As is the case, here; "buy.com"
authorizes the following mailers:
mail1.buy.com
mail2.buy.com
email.buy.com
outboundsmtp01.buy.buyservices.com
outboundsmtp02.vpl.buyservices.com
"customerservice.buy.com" is not among those. In fact,
"customerservice.buy.com" has its own MX records:
mx1.customerservice.buy.com
mx2.customerservice.buy.com
mx3.customerservice.buy.com
Therefore, "customerservice.buy.com" and "buy.com" are really to be treated
as separate entities.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx