spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Identity codes, plus a new %{x} macro

2005-05-26 19:00:56
from [william(at)elan.net] [Permanent Link] 

Scope macro has been proposed before, way before - check spf-discuss and
MARID archives discussions on the topic of scoping going back to July and
earlier. The macro is not a bad idea, but it requires separate dns lookup and record and if we could get the scoping syntax such that part of the record applies to scopes a,b and part to a and part to be, that would be better (can be done with positional modifier scoping). 

In the scoping syntax I proposed, this is all basicly replaced with
scope-specific include i.e. sc.helo=spf("spf2.0/helo") which would cause
to read spf record that starts with "spf2.0/helo" but within the same
dns, so it would not have required separate lookup and only caching of
original dns lookup and keeping text records (even if it did not start
with "v=spf1") available for possible additional spf processing.

On Thu, 26 May 2005, Julian Mehnle wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.

I'd like to suggest a new concept -- probably not for the SPFv1 specifi-
cation, but for a future version of SPF.

Some discussion has arisen on the MARID mailing list[1] about how to allow
separate sets of domain names in separate identites that are being checked
against a common policy, like it is the case with HELO and MAIL FROM for
SPFv1.

E.g., how can "mta.ex.com" be prevented from being used in the MAIL FROM
identity, and "ex.com" from being used in the HELO identity?  With SPFv1,
this is not possible.  Wayne suggested a work-around (slightly
transformed):

 ex.com                     TXT "v=spf1 -exists:no-%{i}._spf.%{d} a 
-all"
 no-postmaster._spf.ex.com  A   127.0.0.1

 mta.ex.com                 TXT "v=spf1 exists:%{i}._spf.%{d} -all"
 postmaster._spf.mta.ex.com A   127.0.0.1

Unfortunetely, this prevents mail from being sent with a sender address of
<postmaster(_at_)ex(_dot_)com>.

I think it would be useful to have standardized codes for identity scopes
(such as "helo", "mfrom", etc.) plus a new macro, say %{x}, that expands
to the code of the identity that is currently being checked.  SPF
libraries would of course have to get passed the code of the identity that
they are supposed to check.

That way, we could say:

 ex.com                     TXT "v=spf1 -exists:no-%{x}._spf.%{d} a -all"
 no-helo._spf.ex.com        A   127.0.0.1

 mta.ex.com                 TXT "v=spf1 -exists:no-%{x}._spf.%{d} a -all"
 no-mfrom._spf.mta.ex.com   A   127.0.0.1

Also, the macro would be nice for tracking or statistics purposes.

References:
1. http://www.ietf.org/html.charters/OLD/marid-charter.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: overall HELO FAIL, Frank Ellermann
Next by Date:  Re: [Fwd: Re: "If you believe that the SPF concept is fundamentally flawed, please subscribe at http: //www.imc.org/ietf-mxcomp/"], Terry Fielder
Previous by Thread:  Identity codes, plus a new %{x} macro, Julian Mehnle
Next by Thread:  Re: Identity codes, plus a new %{x} macro, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]