spf-discuss
[Top] [All Lists]

Re: Re: v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.

2004-11-04 14:58:23
In 
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0411041340160(_dot_)961-100000(_at_)sokol(_dot_)elan(_dot_)net>
 "william(at)elan.net" <william(_at_)elan(_dot_)net> writes:

This means that SPF2 implementations should not check the MAIL FROM, only
the PRA. Is that intentional?

What SPF2 implementations? Name one please!

Well, I'm sure that Phillip Hallam-Baker can tell us all about ones
that are being extensively used.  After all, he claims that the PRA
works well in the "real world" and I'm sure he would never make such
claims without having a solid basis in facts.


Sendmail has a SenderID milter, which I guess is what is probably
meant by "SPF2 implementations".  Of course, it has always played fast
and loose with what records it checks.  From what I can tell, by
reading the source code, it will consider "v=spf1" and "spf2.0/pra" to
be in all ways equivalent, using the first one found for either
"SenderID" checks or "SPF-classic" checks.  It does not appear to
consider duplicate records as being an error.

So, if you publish the opt-out SenderID record of "spf2.0/pra ?all",
the round-robin DNS will cause it to be used only half the time when
doing SenderID checks and it will mistakenly use it half the time for
SPF-classic checks.

Mind you, I wouldn't worry too much about this causing deployment
problems.  There have been less than 600 downloads and I account for
about 1% (5) even though I haven't run sendmail since the mid 1990s.
(Yeah, I have finally started saving the tarballs somewhere other than
/tmp, so I should cause duplicate downloads anymore.)


-wayne