spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Authentication Record

2005-04-01 13:17:16
from [David MacQuigg] [Permanent Link] 
Leave SPF1 syntax as is.
One query to _AUTH.<domain> gets all the authentication information from a domain in summary form, including all methods the domain chooses to use, whatever they can squeeze into 450 bytes. Here is an example of the top authentication record for a large, complex domain. (160 bytes total). 

meth=SPF1+,DK2
ip=170(Kapi2RPMcR1CxEJdXOkLCFEC),4(MQDTO0fzuShRvL8q0m5sitIH3)
dk=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
The methods used by this domain are SPF1 and DK2. The + after SPF1 means that it needs some additional records. These may be found at _SPF1.<domain>. The DK2 information is complete in this top record.
ip is a common keyword, known to all methods. It defines a set of "masks" that can be used for a quick REJECT at any forwarding machine. In this case we have 6 blocks of 170 IPs each and 5 blocks of 4 IPs each. The blocks of 170 could be as large as 256 without making the mask strings any longer, but this domain owner chose to exclude the last part of each block, probably to make the masks as tight as possible around the actual servers.
For most domains, these masks are sufficient to generate a PASS authentication result, but in this case, there are additional restrictions on machines within the mask blocks, maybe some gaps that the domain owner wishes to block. These additional restrictions are found by following a query chain starting with _SPF1.<domain>.
dk is a keyword known to the DK2 method. It defines a public key for the domain, in this case a 768 bit "DomainKey".
All encoded values are Base64, 6 bits per printed character. These values should never be edited directly. They are viewed and edited by various tools that each method provides. 

-- Dave
************************************************************     *
* David MacQuigg, PhD      email:  dmquigg-spf at yahoo.com      *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                   9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.              Tucson, Arizona 85710        *
************************************************************ *
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Authentication Record, David MacQuigg <=
Previous by Date:  Re: Re: FYI from the I-D factory, David MacQuigg
Next by Date:  Re: Masking and IPv6, Frank Ellermann
Previous by Thread:  Re: Re: FYI from the I-D factory, David MacQuigg
Next by Thread:  Re: Masking and IPv6, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]