At 06:56 PM 5/21/2005 +0200, Julian Mehnle wrote:
David MacQuigg wrote:
> Stuart D. Gathman wrote:
> > It has already been pointed out that SPF records could list addition
> > identity checks supported as a modifier (useful if you always check
> > SPF first).
>
> A sender not using SPF will not have any SPF record, even one telling us
> what other identities to check.
Senders do not "use" SPF, domain owners do.
My point is that even if a receiver always checks SPF first, it won't avoid
a DNS hunt. We can't assume that the owner/admin of a domain/subdomain in
the MAIL FROM identity has published an SPF record just to tell us which
other method he/she uses.
What if the owner of the example.com domain actually used SPF, but the
sender, who wants to abuse the example.com domain, says "ID none" (or
doesn't say "ID" at all)? What's the receiver supposed to do then?
"ID none" should be an immediate reject. I wouldn't accept mail from any
sender that says - "I know you want my ID, but I'm not going to give it to
you." With no ID command, we're back to the current setup. You have to
search every possible ID, including subdomains, and every method-dependent
location, like _client._smtp.<ID>, and every possible record type, like
SRV, SPF, TXT, ... just to find out what, if any, authentication is offered.
The most costly hunts will be those that check every possibility and find
no authentication records at all. A spammer could even maximize the load
by making sure every identity had the maximum number of subdomain levels to
search.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *