-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all.
I'd like to suggest a new concept -- probably not for the SPFv1 specifi-
cation, but for a future version of SPF.
Some discussion has arisen on the MARID mailing list[1] about how to allow
separate sets of domain names in separate identites that are being checked
against a common policy, like it is the case with HELO and MAIL FROM for
SPFv1.
E.g., how can "mta.ex.com" be prevented from being used in the MAIL FROM
identity, and "ex.com" from being used in the HELO identity? With SPFv1,
this is not possible. Wayne suggested a work-around (slightly
transformed):
ex.com TXT "v=spf1 -exists:no-%{i}._spf.%{d} a -all"
no-postmaster._spf.ex.com A 127.0.0.1
mta.ex.com TXT "v=spf1 exists:%{i}._spf.%{d} -all"
postmaster._spf.mta.ex.com A 127.0.0.1
Unfortunetely, this prevents mail from being sent with a sender address of
<postmaster(_at_)ex(_dot_)com>.
I think it would be useful to have standardized codes for identity scopes
(such as "helo", "mfrom", etc.) plus a new macro, say %{x}, that expands
to the code of the identity that is currently being checked. SPF
libraries would of course have to get passed the code of the identity that
they are supposed to check.
That way, we could say:
ex.com TXT "v=spf1 -exists:no-%{x}._spf.%{d} a -all"
no-helo._spf.ex.com A 127.0.0.1
mta.ex.com TXT "v=spf1 -exists:no-%{x}._spf.%{d} a -all"
no-mfrom._spf.mta.ex.com A 127.0.0.1
Also, the macro would be nice for tracking or statistics purposes.
References:
1. http://www.ietf.org/html.charters/OLD/marid-charter.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCljT4wL7PKlBZWjsRAvtjAJ0aMCH7l1CsFD077LzE5BCXbnaPDQCdHyjz
z/R7UFm0r5QzeQ9w6QqEFdk=
=y4ic
-----END PGP SIGNATURE-----