spf-discuss
[Top] [All Lists]

RE: include: enhancement suggestion

2004-11-12 09:47:22
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
Commerco WebMaster
Sent: Friday, November 12, 2004 11:36 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] include: enhancement suggestion


The following was included in a reply to the "Odd Problem" thread, but I
wanted to get some direct feedback to my thought as expanded here.

Does it make any sense at all (or would it be appropriate) to have an
additional parameter associated with an "include:" to force MX compliance
at the included domain only if no SPF is published at the included domain
(e.g., perhaps something like "include:DNS77.COM include-:MX")?

Where the include-: could have all appropriate standard SPF syntax to
follow (e.g. IP4:, A, MX, etc).

In this way, a domain owner could be explicit about what gets sent and
received via a non-SPF publishing third party "include:" domain.  For
example, if I was a LARGEISP.NET user and wanted to send mail from my
domain, but through LARGEISP.NET's MTA, if I created a record with
include:LARGEISP.NET and include-: MX, that might mean it was acceptable
for me to send mail from my domain name, through LARGEISP.NET but only via
LARGEISP.NET's MX servers.

Adding mx:largeisp.net would achieve the same goal.

I realize that one is essentially publishing an SPF record for another
domain in doing this, but it does allow the publishing domain name
owner to
be more explicit in their desires if the include domain itself does not
publish SPF records.  Perhaps a proposed "include-:" could
actually use the
"all" syntax for its characters to be more clear with intent - in other
words, "include+:", "include-:", "include?:", etc.

No, it's just including MTAs under someone elses administrative control in
your domain's SPF record.  Nothing strange here.

Arguably, this could end up living longer for situations where an
ISP might
not be willing or able to publish SPF records for other domains
their users
might have, but might be willing to allow FROM domain through their SMTP
server for domains that publish SPF records indicating this is an
acceptable choice by the domain owner.

Surely that's a matter between the domain owner and the ISP (who have a
direct contractual relationship).  If the ISP wants to check the SPF record
for the mail-from: address before sending the mail, then can do that without
any new mechanisms.  It's probably more effecient for them to work out
authorizations for different mail identities in advance rather than check in
real time.

Perhaps another parameter might exist to let an ISP who does
publish SPF to
allow or not allow that choice (e.g. a noinclude(+)(-)(?): parameter to
indicate that this behavior is not acceptable) for domain owners who might
wish such a domain owner syntax to live on past when the ISP publishes an
SPF record.

I think that would be beyond the scope of SPF.  SPF for the sender to define
their policy, not for the ISP to define theirs.  ISPs need to control access
to their MTAs and limit use to appropriate mail identities as part of their
authorization process.  That process, however, is well beyond SPF.

Scott Kitterman


<Prev in Thread] Current Thread [Next in Thread>