spf-discuss
[Top] [All Lists]

Re: FUD on Forwarding Problems and DNS Abuse

2005-03-31 06:09:00
...... Original Message .......
On Thu, 31 Mar 2005 02:46:20 -0700 David MacQuigg 
<dmquigg-spf(_at_)yahoo(_dot_)com> 
wrote:
At 05:36 AM 3/31/2005 +0200, Frank Ellerman wrote:
David MacQuigg wrote:


CSV does the authentication check in one query, using an SRV
record.

Up to six queries for John's pseudo-zone-cut (right to left but
excl. TLDs to protect the root servers).

Good point.  The SRV record is one query, but we certainly have to include 
all the queries necessary to "drill down" to where the SRV record is 
actually kept.  So if rr.com were to use CSV, they would need to set up 
subdomains with one or two servers each, and names like 
mail05.austin.rr.com, or maybe mail0537.rr.com.  This is where it might 
make sense to have a recursive slave server at rr.com with cached records 
from the entire domain.

Looks like the ability of SPF to list many IP blocks instead of just a few 
single IPs is a substantial advantage.

You have to remember which identity CSV is seeking to authenticate.  
HELO/EHLO should be resolvable to a single IP (which is why "v=spf1 a -all" 
is the usual SPF encountered in an SPF HELO/EHLO check).  For HELO/EHLO 
checks, a single IP address should be sufficient.

For mail-from the possibilities are much more complex, so the richer SPF 
syntax is needed.

The problem is what do you do with a  HELO/EHLO pass (SPF or CSV)?  This is 
where reputation systems might come in, but the don't really exist yet.  
Now a fail would be useful since you could quit the SMTP session.

Scott Kitterman


<Prev in Thread] Current Thread [Next in Thread>