-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne Schlitt wrote:
I have just released a newer version of the SPF Internet-Draft.
Attached are some more minor amendments to -01pre5. See the inline
comments.
Besides, I found two issues I could not directly turn into patches:
1) Section 2.4, "Checking Authorization":
| While invalid, malformed, or non-existent domains cause SPF checks to
| return "none" because no SPF record can be found, it has long been
| the policy of many MTAs to reject e-mail from such domains,
| especially in the MAIL FROM. In order to prevent the circumvention
| of SPF records, rejecting e-mail from invalid domains should be
| considered.
What SPF records could be circumvented by using invalid domains in any of
the identities? IMO that doesn't make sense. The only "exploit" I can
see in this is a way to avoid a "None" result due to he use of a
non-SPF-equipped domain, and instead get a "None" result due to the use of
an invalid (invalid or non-existent) domain. Big deal. (The entire issue
of how to handle SPF(non-existent-domain) is still not really resolved
anyway.)
2) Section 12.2, "The Received-SPF mail header":
| Per [RFC3864], the "Received-SPF:" header field is added to the IANA
| Permanent Message Header Field Registry. The following is the
| registration template:
|
| Header field name: Received-SPF
| Applicable protocol: mail
| Status: standard
| Author/Change controller: wayne(_at_)schlitt(_dot_)net
| Specification document(s): this Internet Draft
| (Note to RFC Editor: Replace this with RFC YYYY (RFC number of
| this spec))
| Related information: http://spf.mehnle.net/
I guess this registration template is still in its infant stages, right?
If not: what's the point of referring to http://spf.mehnle.net here?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCfWyFwL7PKlBZWjsRAl3jAJ0b64A5wurYuGqixbLXRyx46d8BCgCfWlg6
ggZCoqx0/fMYUaWmvkzfvzI=
=hQ1O
-----END PGP SIGNATURE-----
draft-schlitt-spf-classic-01pre5+mehnle.xml.diff
Description: Text Data