spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: What to do about redirect= and NXDOMAIN?

2005-05-20 12:44:11
from [Commerco WebMaster] [Permanent Link] 
Wayne,
Although I don't know if this is stated explicitly anywhere in the SPF specification, I have always had a pretty simple view of redirect vs. include.
To me redirect is something one would publish to point to a non-host resource within a given domain's zone (e.g., _spf.example.tld in the example.tld domain is where you go to get SPF records covering example.tld). In other words, if you are asking about the SPF record for this zone, go here (here being _spf.example.tld). Redirect is convenient, in that it allows for a kind of shorthand for very long SPF TXT records, so as to avoid placing TXT records of large size for every zone file entry for a given domain, thereby minimizing the cluttering up of the DNS cache with duplicate data.
On the other hand, I view include serving as an option to request inclusion of an another domain's zone SPF record to determine final PASS state (e.g., example.tld messages also PASS for SPF when PASS for SPF from otherexample.tld is true - I think that this is also how one handles the case where a domain owner allows their messages to be sent via an upline ISP SMTP MTA publishing their own SPF records).
While the above is how we tend to implement here, I am fairly sure that the spec is a bit more flexible, in that the redirect could be pointed outside one's domain zone, however, I don't immediately see cases where that should be done.
Having both redirect and include is convenient, because one could envision publishing local SPF rules that might expand upon or even conflict with the rules on the include domain's SPF record. From a domain publisher's view, that allows for greater granularity on SPF down the road, because should a conflict exist between the domain's SPF record and the include domain's SPF record, the fallback position must always be go with the original domain publisher's intent.
The other case I can think of is when a domain publisher has a local SMTP MTA they wish to authorize for their domain (their local SPF record covers this), and also uses their upline ISP's server as a "smarthost" or fail over server (their include covers this through their ISP's SPF record). 

Am I wrong in my usage of redirect and include or my thoughts about same?

At 11:47 AM 5/20/2005, you wrote:
In <200505201928(_dot_)41810(_dot_)bulk(_at_)mehnle(_dot_)net> Julian Mehnle <bulk(_at_)mehnle(_dot_)net> writes: 

> Wayne Schlitt wrote:

.. snip ..

However, to back up a second, Stuart just posted that he thinks that
include and redirect already defined to act the same.  I would like to
confirm that you are saying that they don't.

-wayne


Best,

Alan Maitland
WebMaster(_at_)Commerco(_dot_)Net
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: People keep misunderstanding what "Pass" and "Neutral" mean, wayne
Next by Date:  fyi; The draft-schlitt-spf-classic-01 I-D is now on the IETF website, wayne
Previous by Thread:  Re: What to do about redirect= and NXDOMAIN?, wayne
Next by Thread:  Re: What to do about redirect= and NXDOMAIN?, Bill Taroli
Indexes:  [Date] [Thread] [Top] [All Lists]