On Wed, Mar 16, 2005 at 03:54:57PM -0500, Todd Herr wrote:
"v=spf1 ip4:24.30.203.0/24 ip4:24.28.200.0/24 \
ip4:24.28.204.0/24 ip4:24.30.218.0/24 \
ip4:24.93.47.0/24 ip4:24.25.9.0/24 \
ip4:65.24.5.0/24 ip4:24.94.166.0/24 \
ip4:24.29.109.0/24 ip4:66.75.162.0/24 \
ip4:24.24.2.0/24 ip4:65.32.5.0/24 +mx ~all"
Acceptable, that is, from the standpoint of fewer than 10 methods
and guarding against the forged @rr.com sender that Radu spoke of
upthread?
People, maybe I've missed something as I did not read the
entire thread. Is there any reason not to use the "exists"
mechanism here ?
Todd,
Basically the other side would tell you what IP address is
trying to send mail; you look this up in a database. There's
no need to have a large record and cross customer spoofing
could be made impossible as well (this is optional).
The record could be as simple as:
"v=spf1 exists:%{i}._spf.rr.com ~all"
The DNS server for _spf.rr.com would be a front end for some
database server mapping ip addresses into booleans. Return
the IP address when it is allowed to send mail, return fail
when not. More complex setups are possible; see the proposed
RFC.
regards,
Alex