On Mon, 25 Oct 2004 13:09:24 -0700 (PDT), Greg Connor
<gconnor(_at_)nekodojo(_dot_)org> wrote:
Hi guys. I think I missed something. Why do scopes have to have an ordering?
Is this the order you check them, or something else having to do with figuring
out whether the terms of the SPF record are applied?
As I wrote in my previous post, I believe that there is a natural
ordering, at least at the 2821 mail transaction (MTA) level. I don't
have MAIL FROM until after I have gotten an EHLO/HELO. If I have a
fail on EHLO, why would I want to proceed any further?
It is a little more problematic when we examine scopes that are within
the data portion of the mail. If we can reject the (bad) mail before
accepting data, that is preferable. If we are looking at the 2822
headers then I would have to defer comments at this point. Having said
this I can't think of a reason an MTA (or a publisher of records)
would look at 2822 from before looking at EHLO or 2821 Mail FROM.
With a = Any or All scope, perhaps the age of the specification might
dictate the order of processing (perhaps also the case with default no
scope). In other words, start with the basic SPF specification and test
forward based upon both what the publisher has published and what the SPF
request processing server has implemented. ...
If this is the direction that we go then I would propose that the
order that scopes are tested should be the order in which they are
published in a record. A recipient MTA may choose to ignore a
particular scope but the order should not be changed.
This goes to the heart of why ordering creates additional problems. Let's
say that the HELO, From: and MAIL FROM all have different domains, and each
domain's SPF record disagrees about the ordering. Which one is correctly
chosen as the first one? If the first two disagree about which one should be
third, what do you do?
That's why I refer to a sieve approach. The first thing you get is
HELO. Evaluate that (if published). The next thing you will have is
MAIL FROM. Assuming you passed on HELO then evaluate against the
record for that (if published). Finally, evaluate From: against the
record for that domain (if published).
If all three domains/records match then it's gravy and you only have
to do a single lookup. If not, then I'd ask how a different order
would give better results/outcomes. In fact, I'd even argue that
changing the order of evaluation leads to worse outcomes (more
resources consumed, potential abuse).
I think ordering is important for the software writer to think about, but
should NOT be built into the SPF record. Assume that when processing of a
given SPF record starts, the receiver/parser already has a scope in mind --
our job is only to tell it which parts of the record apply to the "current"
scope, not where to go next.
Does that make sense?
The scope is what we are matching against. So within a given scope we
are only interested in the current record. That is, I'm agreeing with
you here.
I would ask however, are we really willing to say that there is no
meaningful difference in terms of the order in which scopes are
evaluated? Common sense tells me that RFC2821 indicates the order in
which we should evaluate some scopes. And I would hardly think that
there is sense in evaluating RFC2822 scopes before evaluating RFC2821
scopes.
As usual, just my 2 cents.
Mike