...... Original Message .......
On Thu, 31 Mar 2005 02:46:20 -0700 David MacQuigg
<dmquigg-spf(_at_)yahoo(_dot_)com>
wrote:
At 05:36 AM 3/31/2005 +0200, Frank Ellerman wrote:
David MacQuigg wrote:
CSV does the authentication check in one query, using an SRV
record.
Up to six queries for John's pseudo-zone-cut (right to left but
excl. TLDs to protect the root servers).
Good point. The SRV record is one query, but we certainly have to include
all the queries necessary to "drill down" to where the SRV record is
actually kept. So if rr.com were to use CSV, they would need to set up
subdomains with one or two servers each, and names like
mail05.austin.rr.com, or maybe mail0537.rr.com. This is where it might
make sense to have a recursive slave server at rr.com with cached records
from the entire domain.
Looks like the ability of SPF to list many IP blocks instead of just a few
single IPs is a substantial advantage.
You have to remember which identity CSV is seeking to authenticate.
HELO/EHLO should be resolvable to a single IP (which is why "v=spf1 a -all"
is the usual SPF encountered in an SPF HELO/EHLO check). For HELO/EHLO
checks, a single IP address should be sufficient.
For mail-from the possibilities are much more complex, so the richer SPF
syntax is needed.
The problem is what do you do with a HELO/EHLO pass (SPF or CSV)? This is
where reputation systems might come in, but the don't really exist yet.
Now a fail would be useful since you could quit the SMTP session.
Scott Kitterman