I've done a bunch more work on the draft document for describing the
SPF-classic that I know of and that I will implement in libspf2.
Basically, I am trying to create a better written specification than
spf-draft-200406, but with all the same semantics that I can keep.
This document is *not* intended to be an official statement of what
SPF-classic is, that's up to Meng and MarkL. I am *not* going to
submit this document to the IETF. I *do* think people may find this
document useful, so I'm announcing pre-release versions here.
The documents can be found at:
http://www.midwestcs.com/spf/spf_classic_libspf2/draft-schlitt-spf-00pre4.html
http://www.midwestcs.com/spf/spf_classic_libspf2/draft-schlitt-spf-00pre4.txt
http://www.midwestcs.com/spf/spf_classic_libspf2/draft-schlitt-spf-00pre4.xml
A unix diff between draft-lentczner-spf-00.txt and
draft-schlitt-spf-00pre4.txt can be found at:
http://www.midwestcs.com/spf/spf_classic_libspf2/spf-lentczner-schlitt.diff.txt
Again, I am very interested in any feedback about this document. I
want to know how it conflicts with existing SPF implementations and
how it differs from what you think SPF-classic should be.
One thing I tried hard to do with this my editing is to keep the spec
short. While I have made a great deal of changes, restored a lot of
semantics from spf-draft-200406, and added a lot of stuff here and
there, the resulting document is only two pages longer than MarkL's.
If you remove the Received-SPF header stuff, it is almost exactly the
same length as MarkL's.
Basically, for everything I've added, I've gone and found less
important stuff (IMHO) to remove. This is something I'm going to try
hard to continue to do. This also explains what may seem like petty
deletions.
The following is an list of differences between the official
SPF-classic specification and my libspf2 documentation. The
differences are listed in order that I found them by reviewing the
above mentioned diff. As a result, the most important changes are
kind of mixed in with the rest.
* The "HELO" identity is explicitly defined
* I say that the SPF-classic spec has not been changing much since
last winter.
* cosmetic changes:
* MAIL FROM vs Mail From -- most RFCs use the capitalized form
* Domain name vs host name -- host names are a subset of domain names.
* restored HELO checking from spf-draft-200406
* NXDOMAIN causes a "None" result rather than a "fail". Note that
resolvers will return NXDOMAIN when presented with a malformed
domain names.
This is kind of messy. The various SPF classic specs have been
inconsistent on this subject, and the various implementations that
I've checked have not been consistent. *sigh*.
* The only thing that causes a "fail" result is a domain owner having
mechanism in their SPF record that says so.
* warning added about domain names with source routes, percent hacks
and bang paths.
* note about what a Pass result is useful for
* note about what you should do with a SoftFail
* The examples in the spec use TXT RRs instead of SPF RRs
* restored zone cuts from spf-draft-200406
* deleted section that says "additional records" should use _spf.%{d}
* process limit: DNS packets that are too large MAY be ignored.
* examples and text encourage use of the implicit + on mechanisms.
e.g. "mx:foo.com" instead of "+mx:foo.com".
* note that the definition of the check_host() function will likely
need more arguments in real life than what is shown in the spec.
* deleted redundant explanation of results codes in section 4.2
* all syntax errors must be detected, not just when they are
"encountered".
* removed support for unknown mechanisms.
* redundant descriptions of modifiers removed from 4.6.3
* the ptr: mechanism and the %{p} macro ignore DNS errors instead of
triggering TempError.
* process limits: a limit of 10 MX name lookups per mx: mechanism
evaluation.
* process limits: a limit of 10 PTR lookups per ptr: mechanism
evaluation.
* explicitly say that IP address of 10.23.45 is invalid and not just
the same as 10.23.45.00/24
* allow other specifications to use unrecognized modifiers, not just
newer versions of SPF. (e.g., accredit= and ses=)
* SPF implementations can provide a default explanation string if no
exp= modifier is found.
* process limit: no more than 10 mechanisms that do DNS lookups.
* process limit: removed limit on the number of include: mechanisms
because that is a subset of 10 mechanism limit.
* restored Received-SPF: header from spf-draft-200406
* ABNF cleanup. (Including allowing the "/" in domain specs again.)
* Unknown % escapes are now syntax errors. Trying to get the old
semantics working with ABNF was really messy.
* Unknown macro variables are syntax errors.
* restored %{h} macro variable
* The %{p} macro variable should favor returning the sending domain.
* minor %{t} macro variable clarifications.
* give a suggestion about using "tracking exists: mechanisms" for finding
your outgoing mail servers.
* section 9.2 "implications for mailing lists" replaced with a note
that you have to follow the stuff that RFC2821 tells says you MUST
do.
* security consideration: don't let data provided by third parties
cause problems.
* When a macro string is expanded to more than 255 characters, the
spec now says to truncate until it is less than *or equal* to 255
-wayne