"Chris Haynes" added:
Hector Santos "test only" suggested:
This is a reasonable question, Rudy.
One can make the assertion that once IP is validated by a domain (the first
time) it doesn't matter what other domain is used against the same IP.
For this assertion to be untrue, it would have to be the client has been
exploited (open relay for example). But you will never be able to find this
out unless a statistical based restriction is used (i.e, too many same
client fails).
In other words, once the IP is authorized by SPF, you have a reduced need
to perform additional SPF lookup when the same client connects. A time
expiration cached can be used to determine when a refresh check should be
done.
This might be translated to a SPF directive where the policy exposes a
refresh time. However, that would need to be secured with a server overide
refresh time because you don't want a client saying "This record is good for
X months!"
I like the refresh idea because I also think we need a SPF record expiration
concept to help Neutral/SoftFail people get off their butt to finish their
migration plans.
Sorry, Hector. Normally your posts burst into my mind with insight, but this
time it isn't working for me.
You seem to be suggesting that, once an IP has been approved as a sender by
domain A, you should then (for some limited period of time) also trust it for
any other domains (B, C etc) it claims to be sending for.
With no check done on the SPF records for B, C etc.?
You seem to suggest I could send a first outbound message from my MTA using
the
valid domain 'badguy.com' (which has an SPF record giving a '+' result for my
sender), then send a series of messages claiming to be from bigbank.com,
bigisp.net etc. to the same recipient and I should be given an SPF '+' for
these
messages.
Surely you do not mean that!
Chris Haynes
Ah, I think I see it now. It's all to do with the timing.
Chris Haynes