spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Scoping Syntax for spf1 records (was: For SPF council review: NOT RECOMMENDED)

2005-05-10 03:59:14
from [william(at)elan.net] [Permanent Link] 

On Tue, 10 May 2005, Frank Ellermann wrote:


Julian Mehnle wrote:


how is "op=2822from" any better than "addl-scopes=2822from"?
Or, how is "op=2822from.pra" any better than
"addl-scopes=2822from,pra"?  (Except for being slightly
shorter.)


Shorter is one of the reasons.  Trying to summarize several
hundreds if not more of articles here is a second reason.


Since there people here who are interested in discussing of scoping,
I'd like to propose the syntax for it, which I've worked out over last few months (it is going to be published as part of my future draft but 
can be published as separate document just for scoping).
The syntax (based on my equivalence ideas) is very short for just saying the scope has same info as default v=spf1 mailfrom scope or that it has no data and allows for multiple scopes to be handed together like Frank wants. 
At the same time it allows for extended use to handle complex situations.

The ABNF is as follows:
----------------------------------------------------------------------
scope-modifier = "sc." scope-list "=" scope-info
scope-list = scope-name *("." scope-name)
scope-name = 1*(alphanum / "-" / "_")
scope-info = none-oper / scope-operator *("," scope-operator)
none-oper = "no"
scope-operator = equiv-operator / spf-lookup-oper / unknown-oper
unknown-oper = macro-string
equiv-operator = ema-oper / dom-oper / net-oper
ema-oper = "ema" [ "." scope-name ]
dom-oper = "dom" [ "." scope-name ] [ eq-domains-list ]
net-oper = "net" [ "." scope-name ] [ eq-domains-list ]
eq-domains-list = "(" domain / domains-list ")"
domains-list = *("," domain)
spf-lookup-oper = "spf(" vers-prefix ["," macro-string] ")"
vers-prefix = *(name / delimiter)
----------------------------------------------------------------------

Here are some simple format examples with "example" scoping identity:

sc.example=no  <==== This domain being queried is never used with example
                     identity (way of saying "-all" but just for that scope)

sc.example=ema <==== [EMA = Equivalent Mail Address]
                     This means that all source systems enforce rules
                     so that Example Identity address is always equivalent
                     to SMTP2821 MAIL FROM (default) identity

sc.example=dom <==== [DOM = Equivalent Domain]
                     This means that all sources systems enforce rules
                     so that a Example Identity would have an address in
                     same domain as SMTP2821 MAIL FROM (default) identity

sc.example=net <==== [NET = Equivalent Network]
                     This means that Example Identity would have
                     sources in same networks as MAIL FROM identity
                     (this is basicly what PRA presumes by default)

sc.example=spf('spf2.0/exa') <=== Do spf-style lookup using record in
                                  separate text or spf dns record which
                                  has a prefix of "spf2.0/exa"

Note: The prefix name is arbitrary and is not otherwise defined by
      spf official documentation. The data in prefix must be conforming
      to spf1 syntax and prefixes must not start with "v=spf" other then
      case of "v=spf1" to allow for future spf versions

Here is a lot more complex syntax with two scopes (example1 & example2)
and which reference record for third (submit) scope:

 example.com. IN SPF "v=spf1 ip4:192.168.0.0/24 -all sc.submit=net \
   sc.example1.example2=net.submit(,example.net),spf('spf2.0/pra',_spf)"

The above says that two scopes example1 & example2 have sources in the
same networks as sources of submit scope for example.com (this is because
you see "net(,example.net" so if it starts with "," it means the example.com
spf1 record defined networks are to be used, i.e. same as just "net") OR submit scope for example.net domains OR that of special record defined in 
spf record with version "spf2.0/pra" of _spf.example.com domain
For situations where you want multiple scopes to have one common part of the same spf record but also have smaller unique parts, the proposed 
syntax allows to do it with no extra lookups and not having to duplicate
shared portion:

example.com. IN SPF "v=spf1
 sc.example1=spf('x-spf/shared'),spf('x-spf/example1')
 sc.example2=spf('x-spf/shared'),spf('x-spf/example2')"
example.com. IN SPF "x-spf/shared ip4:192.168.0.0/20 -all"
example.com. IN SPF "x-spf/example1 ip4:127.0.0.1 -all"
example.com. IN SPF "x-spf/example2 ip4:127.0.0.2 -all"

Please comment on if you think this is acceptable for scoping needs or
if it needs more work.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Authentication Headers, Mark Shewmaker
Next by Date:  X-trust-previous-hop:, Mark Shewmaker
Previous by Thread:  Re: For SPF council review: NOT RECOMMENDED, Frank Ellermann
Next by Thread:  Re: Scoping Syntax for spf1 records, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]