On Thu, Feb 10, 2005 at 04:47:15PM -0700, Commerco WebMaster wrote:
Absolutely true. But if a receiver application or add in is going to claim
it supports SPF, it really should follow the basic SPF specification for
published SPF Version 1 DNS txt records.
It should, yes. Therefore it should assume a message is a forgery (if
-all is hit). But I don't think the specification sais one MUST reject
the message. Think SpamAssassin and the like.
And I'm not entirely sure about the status of looking up the zone cut.
Most likely there are plenty of clients that do not look at subdomains.
This is disappointing to learn. When you say clients, I think (hope) you
mean MTAs supporting SPF. The feature allowing for the SPF REDIRECT syntax
was part of SPF version 1 and seems an obvious thing to support for larger
companies with delegated internal DNS zones as well as those others who
chose to implement wildcard DNS records for their domains where such
flexibility is required.
You think publishing redirect covers an entire zone ?
Others please step in if I'm the one getting this wrong:
I query "a.b.c.something.whatever.example.com TXT", you (example) publish
"v=spf1 redirect:_spf.example.com", you think I get an answer ?
If you do think this: Forget about it. You could as well publish
"v=spf1 -all".
If OTOH you publish "v=spf1 redirect:_spf.example.com" for each and
every domain (not: host!) then you get what you think you get.
This is unless the zone-cut, tree-walking or whatever it is called makes
it into the spec. I do think it should be there, eventually, but I doubt
it is in right now.
At the moment there are plenty of domains experimenting with SPF. Some
of those _are_not_ sure, yet they do publish -all.
Again, I think we agree. If a publisher goes with other than a -all
syntax, then the behavior may not be to reject, but rather whatever the
specification indicates. Given that some might argue "correct" behavior
could be vague or get misinterpreted when specifying ~all (I am not too
sure that is true), I suppose all bets on behavior for ~all syntax may be
Trust me. Some misguided DNS hosting company or such has published an
SPF record for its clients (without them knowing about it) and people
get their mail rejected.
Knowing this, you cannot blame the customers of this hosting company for
publishing -all. Would you block? The answer might be yes and that wouldn't
be a bad decision. However, the answer may be no and this too wouldn't be
a bad decision.
regards,
Alex