spf-discuss
[Top] [All Lists]

Re: Broken SPF Records Update

2005-08-02 14:09:27
On Tue, 2 Aug 2005, Craig Whitmore wrote:

eloan.com: 
Craig: just for the record, it is a mistake to believe that including a
domain that doesn't have an SPF record means that your SPF record is broken.
It just ain't true. We don't have any New Zealand customers, so I'm not
concerned anyway, but by over-interpreting standards, you're 
actually hurting the internet, not helping it. IMHO. :-)

Just for the record, Craig is wrong.

The oldest spec I have (Oct 2004) says this:
      included    include
      query       mechanism      SPF
      result      result         processing
      -------- -- -------------- -------------------------------------
      pass     => match,         return the prefix value for "include"
      fail     => no match,      continue processing
      softfail => no match,      continue processing
      neutral  => no match,      continue processing
      error    => throw error,   abort processing, return error
      unknown  => throw unknown, abort processing, return unknown
      none     => throw unknown, abort processing, return unknown

This plainly says that when the included domain returns none, the
result is unknown (now permerror).

pacific.net
I see we are in good company there on your list. Seems that a common problem
is that not all IPs are delegated in DNS to those who use the IPs or have
control over the DNS. We have users who dial o1.com dialup lines, and get
.o1.com IP addresses. We have no control over o1.com's DNS. How we should
handle this in our SPF record? We have many users who send email from
user(_at_)pacific(_dot_)net originating from o1.com IPs.

Best solution: have your o1.com users use SMTP AUTH

2nd best: if (and only if) o1.com publishes a working SPF record, use that:

  pacific.net   SPF "v=spf1 mx ... ?include:o1.com -all"

  Note that the result should be neutral because presumably lots of people use
  o1.com, not just pacific.net users.

3rd best: use PTR:

  pacific.net   SPF "v=spf1 mx ... ?ptr:o1.com -all"

name.com:
I don't quite see how this is a bug. How does one define a mutual trust
between two hosts if this is not allowed? Domainsite.com and name.com both
trust each other to send mail from each others network. If SPF does not allow
this, then SPF is useless for what we need to do.

SPF does allow it.  If domainsite.com doesn't provide an SPF record,
then write one for them and put it under one of your own subdomains:

domainsite.com._spf.name.com    SPF "v=spf1 mx:domainsite.com ... -all"
name.com        SPF "v=spf1 mx ... include:domainsite.com._spf.name.com -all"

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>