| An SPF record published at the zone cut for the domain will be used
| as a default for all other domains and subdomains within the zone.
| See Section 4.5 for details. Domain owners SHOULD publish SPF
| records for hosts used for the HELO and MAIL FROM identities instead
| of using the zone cut default because the fallback requires
| additional DNS lookups. The zone cut default does reduce the need to
| publish SPF records for non-email related hosts, such as
| www.example.com.
Ok. When did we decide that there is a consensus that SPF will support
zonecut spf records for subdomains?
Zonecuts are in spf-draft-200406.
I admit that zonecuts are not widely implemented and this is one thing
that I could see being removed.
I would like to see more discussion from people on the list on if zonecuts
should be supported by SPF and how. If its not yet implemented we may have
a chance to support it better then forcing people to do redirects. I
believe it that best is to have specific modifier or specific subdomain
that is used for adding "default" zonecut spf record.
(So Wayne - you want to run another experiment to get the numbers?)
I have no easy way of running such an experiement.
Now my personal opinion is that its ok to do it but we must make these
"zonecut" records distinguishable from all other SPF records and to do
Zonecut usage can be (effectively) distinguished via:
example.com. TXT "v=spf1 redirect=%{o}._spf.example.com"
example.com._spf.example.com. TXT "v=spf1 <specific record for
example.com>"
*._spf.example.com. TXT "v=spf1 <general default>"
Add to that somebody who wants to distinguish MAIL-FROM and HELO ....
Yes, this is as ugly as stuff needed to distinguish HELO checking from
MAIL FROM checking. If we understood the sitution better in 2003, we
would likely have made better choices.
I disagree with your assertions that it is too late - its not an RFC yet,
its all still in experimental stage and we can make these changes and I
think within 1 years every implementor will have followed as we suggest.
And person will forget that the main "spf" also applies to "star" which here
happened to be on different subnet and thus would fail spf lookup because
main spf record at zone cut does not include that net. I'm dns administrator
for close to a thousand domains and can tell that I would not have entered
SPF record for each and every subdomain record - only for primary zone and
for known mail servers - others I would just not know for sure or would
have had to contact many people to find out for sure when they are setup
for a client.
I'm not sure if you are saying that this is a bug or a feature. It is
my opinion that the vast majority of domain owners assume that the SPF
record they enter at the top of the zone will apply to all subdomains.
DNS administrators typically do not see one record applying for everything
else in that zone and for all subdomains. It never happened before and they
will not realize it until somebody tells them. Some will consider it usefull
and some will not but I think majority who add the record will not know
about its "*" applicability. That is why I said that one of the best ways
to use specify "*"-like subdomain "*spf*" or possibly just "**" (this
being more if possibly other applications follow spf on zonecut tests).
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net