Re: spf entries for which hosts ???

On Mon, Oct 11, 2004 at 03:19:01PM -0400, Meng Weng Wong wrote:
| 
| the domain urz.uni-magdeburg.de should have a record
| "v=spf1 a:server1.urz.%{d2} a:server2.et.%{d2} a:server3.math.%{d2} -all"
| 

if the record ends up being very long and crosses the 512
byte UDP DNS packet size limit, you can do what ebay does:

    20041011-15:20:21 mengwong(_at_)dumbo:~% dig +short ebay.com txt
    "v=spf2.0/pra mx include:c._sid.ebay.com include:s._sid.ebay.com 
include:m._sid.ebay.com include:p._sid.ebay.com ~all"
    "v=spf1 mx include:c._spf.ebay.com include:s._spf.ebay.com 
include:m._spf.ebay.com include:p._spf.ebay.com ~all"

    20041011-15:20:28 mengwong(_at_)dumbo:~% dig +short c._spf.ebay.com txt
    "v=spf1 ip4:12.155.144.75 ip4:62.22.61.131 ip4:63.104.149.126 
ip4:64.68.79.253 ip4:64.94.204.222 ip4:66.135.215.134 ip4:67.72.12.29 
ip4:80.66.137.58 ip4:80.93.9.10 ip4:195.234.136.12 ip4:203.49.69.114 
include:c2._spf.ebay.com ~all"

    20041011-15:20:34 mengwong(_at_)dumbo:~% dig +short c2._spf.ebay.com txt
    "v=spf1 ip4:210.80.80.136 ip4:212.110.10.2 ip4:212.147.136.123 
ip4:212.208.64.34 ip4:213.219.8.227 ip4:216.113.168.128 ip4:216.113.175.128 
ip4:216.177.178.3 ip4:217.149.33.234 ip4:220.248.6.124 ~all"

    20041011-15:20:36 mengwong(_at_)dumbo:~% dig +short s._spf.ebay.com txt
    "v=spf1 ip4:66.135.209.192/27 ip4:66.135.197.0/27 ip4:64.4.240.64/27 
ip4:64.4.244.64/27 ~all"

    20041011-15:20:38 mengwong(_at_)dumbo:~% dig +short m._spf.ebay.com txt
    "v=spf1 ip4:66.135.215.224/27 ip4:216.33.244.96/27 ~all"

    20041011-15:20:42 mengwong(_at_)dumbo:~% dig +short p._spf.ebay.com txt
    "v=spf1 ip4:64.41.177.252 ip4:67.72.99.26 ~all"

The "include" technique is only one possible way.  Another
way might be to fabricate an MX -> A tree:

domain.com TXT "v=spf1 mx:mx._spf.%{d} -all"

  domain.com MX 10  c.mx._spf.domain.com
  domain.com MX 10 c2.mx._spf.domain.com
  domain.com MX 10  s.mx._spf.domain.com
  domain.com MX 10  m.mx._spf.domain.com
  domain.com MX 10  p.mx._spf.domain.com

and then *.mx._spf.domain.com could have multiple A record
results...

  p.mx._spf.domain.com A 64.41.177.252
  p.mx._spf.domain.com A 67.72.99.26

of course this technique loses the ability to do cidr masks,
but it is an alternative that can be useful in case we run
up against the maximum-include-recursion limit imposed in
the spec.

the v=spf2.0/pra entry is not necessary if its content is
the same as a v=spf1 record.  Sender ID receivers will fall
back to v=spf1 records if they do not see an spf2.0 record.
this is the common case --- scope disambiguation with /pra
and /mfrom is only relevant to a small minority of cases.