You are assuming that one is validating the IP that the connecting MTA
(sender) is connecting to your (receiver) mail server with. You are
not. Or you are not JUST doing that.
What you are actually validating is that the Domain name in the
MAIL-FROM is allowing their emails to originate from the IP that the MTA
(sender) is connecting to your (receiver) mail server with.
(You may also/instead be validating the mail servers HELO/EHLO name, but
that is a trivial distinction in this context, its still a foreign
domain name being validated against the foreign IP)
rg(_at_)mdpd(_dot_)com wrote:
I hope I'm not speaking out-of-turn and I do realize that a lot of
effort has been expended on this project thus far...
But, since I am not so familiar with this problem and I believe I may
be able to provide a fresh perspective... Here is my question on the
DNS topic:
Why are so many DNS requests necessary at all?
Because many IP's could be originating email that are allowed to say it
is from a specific domain.
It seems to me that any system that needs IP verification via DNS
should do so for only the one IP that it needs to verify. Simplified:
reverse the verification role and have the DNS (server) zone verify
the requested IP and then reply with a pass or fail type token (or it
can return the IP itself or no IP if that IP fails.)
That is a good idea. But it does not fit within DNS confines, because
there is not a 1-1 mapping of domain names to IP's. And because you
cannot currently (to my knowledge) ask a DNS server the type of question
I think you are proposing.
This approach seems more efficient and certainly more secure (since no
information more than that which is already known is revealed.)
It is more efficient if such a server system exists. I don't think it
does. Certainly not DNS; you ask for a resolution of a DNS name and a
record type and get a response. A given IP however could be authorized
to send email for MANY domains. By your method you need to ask the DNS
server "is this domain authorized for this IP?". But all you can ask is
"here is a domain, give me a record of type X". The result is usually
an IP (traditional type of DNS) it can be a boolean response (usually
faked in the form of a non routable IP) or some text string (TXT is what
SPF uses) etc.
But make no mistake the question "is this domain authorized for this
IP?" cannot be stated in the format "here is a domain, give me a record
of type X". Hence your question cannot be answered by a DNS query (or
at least not 1 DNS query).
If I am not seeing the big picture, someone please direct me to that
picture (or link.) Again, I am not well versed on this problem I hope
that has been made clear but I do wish to help it along (if at all
possible.)
I hope this clears it up for you.
Terry
Thanks,
-Rudy Gomez
-JUST SAY NO TO SPAM!
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup
<http://mail01.mail.com/scripts/payment/adtracking.cgi?bannercode=adsfreejump01>
------------------------------------------------------------------------
Sender Policy Framework: http://spf.pobox.com/ Archives at
http://archives.listbox.com/spf-discuss/current/ Read the whitepaper!
http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your
address, or temporarily deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com