On Fri, 22 Jul 2005, Scott Kitterman wrote:
For MX and PTR, SPF looks at the first 10 only. I maintain that
SPF should look at the first 10 in a CNAME chain also. Whether the
result should be PermErr, or equivalent to NX_DOMAIN, is open to question.
Actually, given the way the other mechanisms work, it should be NX_DOMAIN I
think. This is another one of those cases where mechanism evaluation is
potentially silently incomplete.
I can go either way. But the spec needs to address CNAME processing
limits to get consistent results.
Heh. I just had this brain flash. I can imagine a diagnostic
sender domain. It can send some test emails to an SPF checking
recipient, and determine all kinds of things about the implementation.
For instance, it could have an exists:%{l}.example.com -all, and a mail from
cnameloop(_at_)example(_dot_)com would result in a PermErr or Fail. The trick
is to design the tests so that none of them ever actually pass
and annoy the recipient. Actually, the diagnostic program could
make a direct SMTP connection, and abort the email if necessary.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.