I wrote:
I no longer find this a good idea without having a "match_subdomains=yes"
modifier as specified in spf-draft-200406. The reason is following
example:
hostpoint.ch. TXT "v=spf1 mx ?all"
hostpoint.ch. MX 1 mail.hostpoint.ch.
mail.hostpoint.ch. A 217.26.48.126
server16.hostpoint.ch. A 217.26.52.26
MAIL FROM:<xyz(_at_)server16(_dot_)hostpoint(_dot_)ch>
server16.hostpoint.ch has no SPF record and the SPF record at hostpoint.ch
(zone cut) does not authorize 217.26.52.26 (=server16.hostpoint.ch) to
send mail.
Alex answered:
Maybe I don't get it.
First of all, in this case it would result in "?all" and that
is to be considered equal to not having a record at all.
Would the policy be different, say "v=spf1 mx -all", then it
would make a difference. In that case, the entity responsible
for the entire zone including this host, would have set a
policy that no host can send mail unless authorized to do so.
If server16 is authorized to send mail, add a record for its
domain, or add an entry in the overall domain.
So, what am I missing ?
server16.hostpoint.ch is only used for sending mail from a website. Normal
mail is sent from mail.hostpoint.ch. Obviously the administrator forgot to
publish an SPF record for server16.hostpoint.ch. Now if he changes "?all" to
"-all" (still forgetting server16.hostpoint.ch), then mail from
server16.hostpoint.ch will be rejected.
Note that this is just an example.
Roger