Constantine A. Murenin wrote:
On 25/05/05, Bill Taroli <bill(_dot_)taroli(_at_)billsden(_dot_)org> wrote:
How about putting a TXT record into your various "example" zone files,
each specifying a SPF policy of "v=spf1 mx a:home.example.name ?all".
Once you're satisfied things are working well, "?all" might go to "~all"
or "-all"
[...] As of today, the page <URL:http://spf.pobox.com/mechanisms.html#a> reads:
"All the A records for /domain/ are tested. If the client IP is found
among them, this mechanism matches."
That's if you just use "a" on it's own. If you qualify it with a name or
IP address, it only applies to that. Likewise, by using "mx" without
qualification, it means "any mx in this domain".
Is there a way to utilise the EHLO/HELO hostname, which is provided by
the MTA in the greetings part of smtp? I.e., I want to say that every
MTA that claims to have a hostname of format *.example.name, provided
that the domain resolves to the MTA's IP-address, is permitted to send
my mail. That is much more simple and straightforward, isn't it? :-)
And it does not reveal the structure of my network to strangers, does
it?
You'll have to explain a bit more about exposing the structure of your
network.before it sinks in, I suspect. If I understand, I might not
suggest calling your home MTA "home". :-) Why not call it "honeypot"
instead? ;-)
The /format/ of the name isn't as important as the second part of your
statement, which is the point. If you set up your policy such that a
given host X matches your policy statement, then it will pass and signal
to the receiver that you authorize that sender to do so on behalf of the
domain in which the SPF policy appears.
If you know that the host(s) in question will all be MTA's (aka MX),
then just use "mx". But I don't know how that insulates you from sharing
the "structure" of your domain, since all I have to get to learn what
your MTA's names are is "dig <domain> mx". *shrug* So maybe I'm missing
part of your point.... I'm slow sometimes. ;-)
Bill