Roger Moser [Roger(_dot_)Moser(_at_)rama(_dot_)pamho(_dot_)net] wrote:
Roger Moser wrote:
I no longer find this a good idea without having a
"match_subdomains=yes" modifier as specified in spf-draft-200406. The
reason is following example:
hostpoint.ch. TXT "v=spf1 mx ?all"
hostpoint.ch. MX 1 mail.hostpoint.ch.
mail.hostpoint.ch. A 217.26.48.126
server16.hostpoint.ch. A 217.26.52.26
MAIL FROM:<xyz(_at_)server16(_dot_)hostpoint(_dot_)ch>
server16.hostpoint.ch has no SPF record and the SPF record at
hostpoint.ch (zone cut) does not authorize 217.26.52.26
(=server16.hostpoint.ch) to send mail.
server16.hostpoint.ch is only used for sending mail from a website.
Normal mail is sent from mail.hostpoint.ch. Obviously the administrator
forgot to publish an SPF record for server16.hostpoint.ch. Now if he
changes "?all" to "-all" (still forgetting server16.hostpoint.ch), then
mail from server16.hostpoint.ch will be rejected.
Exactly. What's the problem?
The admin really just should add "a:server16.hostpoint.ch" (or something
to that effect) to the existing SPF record, or add another SPF record for
server16.