spf-discuss
[Top] [All Lists]

Re: spf entries for which hosts ???

2004-10-12 19:04:12
--Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:

On Mon, Oct 11, 2004 at 03:24:50PM -0400, guy wrote:
| It is not just you.  The spf docs, faqs and such are not clear on this.
| And this seems like a very important issue, since sub-domains and hosts
| can be used to forge emails.
|
| Try it:
| dig +short txt ebay.com.
| dig +short txt www.ebay.com.
| dig +short txt aol.com.
| dig +short txt www.aol.com.

For the record, the docs are unclear about this because
there has been no consensus about which future we want to
live in.

We don't want the world to have to put an SPF record on
every single www.domain.com out there, but we don't seem to
want to embrace any of the technological alternatives
either.


Here is an idea that may or may not have been floated before.

A domain name that has an MX record is, by definition, intended to be used for email, unless the record is domain. IN MX 0 . -- so we can give that domain the benefit of the doubt, such as allowing a "best guess" a/24 mx/24 ptr ?all

A domain name that has an A record may or may not support email, so a sensible practice might be to apply +a -all as the "best guess" -- though I would not want to do this on a production site without running in log-only mode for a few weeks, or at least seeing encouraging results from someone else applying the rule.

Definitely if a domain is being actively used for email but has only an A record (for example, a large chunk of messages from MAILER-DAEMON) the owner can control his own destiny by publishing an SPF record which always takes precedence over the best guess.

I really would like to see a "modern" RFC for email that states "The practice of sending mail to a domain with only an A record is now considered deprecated. Domain owners should provide MX records for any domain intended to send or receive mail, even if it is only DSNs. Ensure that your mail server sends out DSNs with a From: line containing a real MX domain, either by turning on masquerade or providing MX records for the server's name"


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>