"Radu Hociung" opined:
I have a bone to pick with the %{l} macro.
A domain that is publishing such a macro allows in one way or another
that a user of the domain name mess with the domain's reputation.
In the near future, if all goes well, reputation databases will be
possible using the information derived from SPF authorization.
So a simple include:%{l}.whatever means that the domain's reputation
will be affected by the actions of any single user. The case is the same
for a:%{i}.dyndns.mydomain.com (in the SPF policy of mydomain.com)
In my view, publishing %{l} is too high of a risk that the reputation of
the entire domain be tarnished by one single user, during a single
incident. Single-user domains don't have much to lose, as
domain_reputation==user_reputation. But those domains also don't have a
use for %{l} :)
So, how likely is any domain to want a %{l} in their policies after
they've considered all the implications?
If it is dangerous for the large domains, is it less dangerous for the
smaller domains? I think of dangerous in terms of "dangerous for the
domain's reputation".
I regard the pobox.com and listbox.com's SPFs as poorly thought out
policies, and I do not believe that their use of %{l} can be defended
easily.
Maybe I'm still half asleep, but I don't understand your concern.
If a single user misbehaves in the sending of mail, that tarnishes the
reputation of her entire domain, regardless of whether or not a person-specific
policy is in use.
An individual cannot set the content of her own policy just because she has one
allocated to her; all the policies are under the control of the DNS
administrator for the domain as a whole. If a domain admin. publishes something
like +all at the request of a user, it's the domain's fault for being stupid
when bad things happen.
It would be possible for an individual in domain A to have a %{l} which includes
or redirects to some other domain's SPF record, and for that other domain
(perhaps later) to publish something stupid or dangerous but, again, whether
off-domain references are permitted in the first place under the control of the
DNS admin. of domain A.
Chris Haynes