On Thu, Jan 13, 2005 at 04:54:00PM +0100, Roger Moser wrote:
If no matching records are returned for the <domain;>, the SPF client
MUST find the Zone Cut as defined in [RFC2181] section 6 and repeat
the above steps. The <domain>'s zone origin is then searched for SPF
records. If an SPF record is found at the zone origin, the <domain>
is set to the zone origin as if a "redirect" modifier was executed.
I no longer find this a good idea without having a "match_subdomains=yes"
modifier as specified in spf-draft-200406. The reason is following example:
hostpoint.ch. TXT "v=spf1 mx ?all"
hostpoint.ch. MX 1 mail.hostpoint.ch.
mail.hostpoint.ch. A 217.26.48.126
server16.hostpoint.ch. A 217.26.52.26
MAIL FROM:<xyz(_at_)server16(_dot_)hostpoint(_dot_)ch>
server16.hostpoint.ch has no SPF record and the SPF record at hostpoint.ch
(zone cut) does not authorize 217.26.52.26 (=server16.hostpoint.ch) to send
mail.
Maybe I don't get it.
First of all, in this case it would result in "?all" and that
is to be considered equal to not having a record at all.
Would the policy be different, say "v=spf1 mx -all", then it
would make a difference. In that case, the entity responsible
for the entire zone including this host, would have set a
policy that no host can send mail unless authorized to do so.
If server16 is authorized to send mail, add a record for its
domain, or add an entry in the overall domain.
So, what am I missing ?
cheers,
Alex