spf-discuss
[Top] [All Lists]

Re: Sanity check

2005-03-04 08:20:19
On Fri, Mar 04, 2005 at 09:59:22AM -0500, Mark Shewmaker wrote:
My understanding is that mx mechanism's shouldn't include IP
addresses:

1.  Since MX names must be domain names anyway, and
2.  since in the context of spf, it doesn't make sense for IP's
    to be listed under "mx:" as opposed to "ip4:" or "ip6", and
3.  since the spec does refer to the right-hand-side being
    a domain-spec.

Is this correct?

It is.

The reason I ask is because of:

    $ host -t txt advanta.com
    advanta.com text "v=spf1 mx ptr mx:12.40.127.100 mx:12.40.127.108 ~all"

Given that the two ip's listed are their mx hosts, it looks like they
could just as well use "v=spf1 mx ptr ~all"

Furthermore, when you resolve the IP numbers to names, you
get "mail-in.advanta.com" and "mail-out.advanta.com"

Let's assume for a moment that they did indeed aggregate
their outgoing mail and that they use one server only:

 "v=spf1 ip4:12.40.127.108 ~all"
or
 "v=spf1 a:mail-out.advanta.com ~all"

If the "mail-in" server serves as a backup:

 "v=spf1 ip4:12.40.127.108 ip4:12.40.172.100 ~all"
or
 "v=spf1 a:mail-out.advanta.com a:mail-in.advanta.com ~all"
or
 "v=spf1 mx ~all"

The ptr mechanism is necessary only when they do indeed allow
every host with a name ending in advanta.com (such as
"host1.farm2.sales.internal.advanta.com") to send mail.

Most people don't need the ptr mechanism and it is expensive.

cheers,
alex


<Prev in Thread] Current Thread [Next in Thread>