spf-discuss
[Top] [All Lists]

Re: the Seth Hypothetical

2004-10-25 08:16:42

On Mon, 25 Oct 2004, Michael Hammer wrote:

If this is the direction that we go then I would propose that the
order that scopes are tested should be the order in which they are
published in a record. A recipient MTA may choose to ignore a
particular scope but the order should not be changed.

That works great in this example:
 EHLO example.com
 MAIL FROM <user(_at_)example(_dot_)com>
With dns being:
  example.com. SPF "v=spf1 sc=h,m mx ip4:192.168.0.0/16 -all"

Then when you see it you know the publisher wants ehlo checked first and 
then mail from.  

Now lets say that we have 
 EHLO bingo.example.com
 MAIL FROM <user(_at_)example(_dot_)com>
With DNS being:
  bingo.example.com. SPF "v=spf1 sc=h a -all"
  example.com. SPF "v=spf1 sc=m mx ip4:192.168.0.0/16 -all"

So how do you decide if you need to check EHLO first or MAIL FROM ?

-----------

There is possibly way though to bring publisher-defined rules into 
UnifedSPF. What we can do is add syntax that will allow published record
for one scope to specify if any other scope can override that record.

So if publisher for MAIL-FROM scope sees it as acceptable that if its
verification failed, that positive EHLO scope result can override this 
failure, he can for example add (yet another) modifier "scope_override"
which could be like:
  v=spf1 sc=m scope_override=s,h ...

The problem is that this approach while it works for any specific scope
record has problem when its more then one scope that is specified by
any one SPF record, i.e. if it already says "sc=m,h", it is not clear
how "h" can override "h" (but interpreter can probably just ignore 
something like that). Combinations of more then one scope necessary
to override some other one is also possible, i.e.:
  v=spf1 sc=m scope_override=s,p,h+i
Would mean that to override mail-from you need to either have submit or 
pra scope or combination of HELO and PTR scopes.

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net


<Prev in Thread] Current Thread [Next in Thread>