wayne wrote:
I think there is a certain danger for using the SPFv1 records for PRA
checkings since there certainly are cases where the set of IP
addresses used to send email with the 2821.MAILFROM identity is not the
same set of IP addresses as the 2822.From: identity.
From talking with both you (Meng) and MarkL, you two have convinced me
that:
1) The number of cases where these two sets are not identical is
small.
2) It is safe to publish the union of these two sets.
3) The domains which are sets are not equal will generally know this
and be very willing to fix their v=spf1 records.
The concern I always had with this line of reasoning was the presumption
that spf records are under the direct control of the domain. For a small
business or personal domain this is not generally the case. If *I* had
been running a domain hosting/email service last spring, I would have
published SPF records for all of my clients. I would have felt safe
doing that since most outsourced shopping carts and email marketing
services set the 2821.MAIL FROM to themselves, to handle errors. In this
scenario, having some receivers now use that record for 2822.FROM would
cause failures, and the failures would have the characteristic that (a)
the domain owner has no idea what is going on, since the domain owner
barely knows that DNS exists, let alone SPF and (b) the actual record
publisher has no easy way of knowing who is now broken, and so has to
unpublish everyone.
But it appears that just about nobody published SPF records on behalf of
non-technical clients, so my objection slowly faded. With all the chaos
and confusion now over what an SPF record (any version) really defines I
don't expect we'll see the kind of proactive publishing I was worried
about. What I do think we will see is a huge proliferation of
sub-domains as people attempt to contain the scope of their published
statements by the only means possible. Neither of these are exactly good
results. But at this point I'm not sure what to do about it.
Margaret.