On Wed, 24 Aug 2005, Julian Mehnle wrote:
Meng, and others, have widely recommend using a default SPF record of
"v=spf1 a/24 mx/24 ptr ?all". I haven't heard too many objections to
it.
Perhaps that's because it isn't actually widely used. In particular, it
generates "Pass" results which cannot (and should not) be trusted.
I use it, and no, the "Pass" result is not trusted. It is flagged
in the Received-SPF header as a "guessed" result. It does not count
for many purposes that require a real SPF record. However, it is
used for whitelisting of senders.
The whole idea of applying a default SPF record to policy-less domains
runs contrary to the concept of domain owners explicitly granting
"Pass"es for machines that they want to be trusted. Perhaps "v=spf1
?a/24 ?mx/24 ?ptr ~all", but then that isn't of much use anymore.
The default SPF record is not the sender policy at this point, it is
the *receiver* policy. You see, when a domain has no SPF record,
I (my program anyway) still have to decide what to do with the message.
The SPF language is a very flexible way to make such decisions. In
fact, I go beyond the generic default SPF record, and have a DNS
zone dedicated to substitute "SPF" records. These are domain specific
defaults that are used for senders with no SPF record where the
generic default does not work well.
If a domain has no policy, then there's no point in pretending there was
one. Policy information by definition cannot be extrapolated.
We aren't pretending there is one. We are simply reusing the SPF
machinery to implement a *receiver* policy for such domains.
Another resuse of SPF that will blow your mind is for whitelisting
non-SRS forwarders. Given a message with SPF FAIL, you try pretending (for
evalutation purposes only) that it really had your trusted forwarders
domain (as if the forwarder had used SRS), and reevalute. If it passes, it
was sent via that forwarder. The technique works even when the forwarder
has a lot of outgoing IPs. If they don't publish an SPF record, you
can provide a substitute as above. Don't have a cow - it is *receiver*
policy. We are just reusing the SPF machinery.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.