wayne wrote:
Upon further review, I just discovered that this SPF spec says that
you are supposed to return "fail" if the domain does not exist
(RCODE 3/NXDOMAIN). See section 4.4.
This is the text:
If the domain does not exist (RCODE 3), check_host() exits
immediately with the result "Fail" and a reason of
"Domain Does Not Exist"
That looks like a violation of RFC 2821 (Section 3.6 Domain), which states
that domain names should be used that can be resolved to either MX RRs or A
RRs. And refers to section 5 ("Address Resolution and Mail Handling"):
Once an SMTP client lexically identifies a domain to which mail will
be delivered for processing (as described in sections 3.6 and 3.7), a
DNS lookup MUST be performed to resolve the domain name [22]. The
names are expected to be fully-qualified domain names (FQDNs):
... The lookup first attempts to locate an MX
record associated with the name. If a CNAME record is found instead,
the resulting name is processed as if it were the initial name. If
no MX records are found, but an A RR is found, the A RR is treated as
if it was associated with an implicit MX RR, with a preference of 0,
It is perfectly legit to use a domain name for which only an MX record
exists, for instance. An immediate result "Fail" because of "Domain Does Not
Exist" appears in error.
WTF!?!?!?!!!
*NEVER* should we return an SPF "fail" unless so directed by the
domain owner. If i-hate-spf.com doesn't publish an SPF record and
wants to use a non existent domain foo.i-hate-spf.com, we should
*NOT*, *EVER*, *UNDER ANY CIRCUMSTANCES*, generate anything other
than the SPF result of "none".
Agreed. Since a domain which not exists can never have an SPF record
associated with, the only logical result can ever be "None".
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx