In <428891D2(_dot_)8050008(_at_)ashtonwoodshomes(_dot_)com> Terry Fielder
<terry(_at_)ashtonwoodshomes(_dot_)com> writes:
Only if the final MTA stays down for longer then the TTL. Do you
think that happens often?
Yes.
SPF TTL times:
aol.com: 300s (5 min)
hotmail.com: 3600s (1 hr)
pobox.com: 3600s (1 hr)
earthlink.net: 1800s (30 min)
And I am a proponent of SPF only during SMTP time.
But to keep the others (e.g. SA) happy, how about:
When you evaluate SPF post SMTP, any DNS record you use to determine
the senders policy can only be used if its TTL means that the DNS
lookup could have occurred before the timestamp the message was
received by MTA.
The TTL of cached records counts down until they expire. The only to
learn what the TTL is on the records is to query the authoratative
name servers directly and then you can see if email could be within
that window. This will generally require two uncachable DNS lookups.
Combined with the short TTLs that many people give for SPF records,
such a requirement really isn't much better than saying that SPF
checks MUST be done during SMTP time. (And, of course, you have to
worry about *which* SMTP time.)
Oh, and don't forget about networks that are firewalled and *can't*
directly query the authoratative name servers. This issue was big
enough that it convinced the DNS gurus that TXT records would have to
be acceptable.
I really think that the only practical way for senders to prevent a
changing policy from causing legitimate email to fail is to make sure
that there is a transitional period where both the old and new
policies are supported. Similarly, receivers should do the SPF checks
just as soon as they can, and if they can't do it until the MUA, then
they better not put absolute trust in the results.
-wayne