spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: op=s u b

2004-12-04 13:33:04
from [Greg Connor] [Permanent Link]
BTW Frank is correct, messages containing s u b in the subject line (or first few lines) are flagged as "administrivia" and held for the moderator. (There is a lot of spam in the Held queue too so prior attempts to post got overlooked.) 

I'm going to try op=s u b in the sub and see what happens.

--Greg Connor <gconnor(_at_)nekodojo(_dot_)org> wrote:


--Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:


6.3.4  The optional "sub" property

   SPF implementatios are expected to determine the "zone cut"
   for a given domain if it does not have its own sender policy.

   The strategy outlined in [RfC 2181] chapter 6 for this task
   is not necessarily the best strategy.  A simple way to find
   a sender policy above any given domain is to walk up the tree
   by removing labels left to right.  This procedure could find
   a sender policy for a domain below the wanted "zone cut".


I would suggest to stop at any domain that has an SOA but no TXT v=spf1.
Walking up the tree further than where an SOA is found can get you into a
zone where someone else has authority.  (If we do not stop where an SOA
is found, we could be subject to inappropriate usage by NSI in com. or
net. or CC-NIC in cc., etc.)

This means that if your organization has many sub-zones and delegations,
they should put SPF records wherever SOA records appear.  Hopefully this
is an OK tradeoff.  It's slightly more work for large sites, but avoids
the risk of a domain you don't actually own to mess things up for you
(especially for people who don't publish SPF yet).



   The "sub" property instructs implementations that the found
   sender policy MUST NOT be used for subdomains.  Because SPF
   implementations are free to ignore all options SPF records
   at the "zone cut" SHOULD NOT specify the "sub" property.


If the "sub" property keeps subdomains from being affected, would it be
better to call it op=nosub?

I didn't quite understand the second sentence... you might want to make
that clearer or break it up in to two sentences.

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com




--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: op=s u b, Greg Connor <=
Previous by Date:  Re: Re: [ietf-clear] Re: Make CSV backwards compatible with legacy SPF records?, Dave Crocker
Next by Date:  Re: Re: RFC 2821 and responsibility for forwarding, Andy Bakun
Previous by Thread:  op=sub, Frank Ellermann
Next by Thread:  FairUCE, Stephane Bortzmeyer
Indexes:  [Date] [Thread] [Top] [All Lists]