Seth Goodman wrote:
From: David MacQuigg [mailto:dmquigg-spf(_at_)yahoo(_dot_)com]
Sent: Thursday, September 01, 2005 6:31 AM
One suggestion is that you support both TXT and SPF RR types right from the
start, even though not all SPF checkers and resolvers today know about the
SPF RR. When both records are present, they MUST be the same, so I suggest
that your control panel enforces this. While the SPF RR is relatively new,
it is planned to eventually replace the TXT record, but both will be around
for a long time. Differences between the TXT and SPF RR's will cause
problems that are hard to diagnose, so publishing both and forcing them to
be the same would be doing your users a great service. It is not hard, and
it would distinguish your implementation from many others that have not yet
taken this step.
The BIND patch to support Type99 is trivial. See the archives:
http://www.gossamer-threads.com/lists/spf/discuss/21367?do=post_view_threaded#21367
Multiple people on this list have implemented this without problems.
BTW, AFAIK, no commercial DNS provider offers this just yet and so it
could be a point of competitive advantage.
Another common problem in DNS control panels is the lack of support for the
underscore character. While this character is not permitted in a host name,
it _is_ definitely allowed in an A record. It is useful in the SPF context
to define a record that will be included in numerous other records. For
example, a user may own a dozen domains that all use the same outgoing
MTA's, and thus should have the same SPF record, or at least a common core
part of the record. It makes administration much easier to create a common
record at a domain such as _spf.maindomain.com that can never be the name of
an actual host. You use the include: mechanism to include the contents of
this record in each of the dozen separate domain SPF records. You can then
change the SPF record in all twelve domains simultaneously by editing a
single record. This is useful in cases where it is undesirable to CNAME the
domains together.
Yes. This is also necessary for Domain Keys Identified Mail (DKIM)
being developed now. Since DKIM has a Sender Signing Policy (SSP) that
includes an option for domains to say they never sign messages, having
the '_' available would be immediately useful for that too. Also a
potential competitive advantage since not all services support it just now.
One further piece of advice is to discourage the use of the ptr: mechanism.
It is expensive for your resolvers and slows down SPF record evaluation.
There are usually other ways to accomplish the same thing, though it is part
of the specification and must be supported. For some cases, it really
simplifies the records and allows extra flexibility, and that is why it is
still there. The typical user, however, should be discouraged from
publishing a record with a ptr: mechanism.
Please.
The signup form and the web interface are confusing. See
domainsmadeeasy.com for an example of how to organize a DNS service.
Yes, they have done a good job. Though I am a satisfied customer of theirs,
the SPF wizard and validator they provide could stand some improvement.
Fortunately, Scott Kitterman on this list has written an excellent
validator, which he actively maintains, so you may want to contact him for
permission to link to it or host your own copy. Unlike some of the other
validators around, Scott actively solicited feedback from the very
knowledgeable and fastidious (to put it politely) members of this forum.
IMHO, this continues to make it higher quality than most others out there.
I would defer to others on the list for what they consider as the best SPF
wizard out there.
The validator is free software. Permission is not required for you to
use it. There are links on the site to the source for what's needed.
There are a few issues (minor) that I'm trying to sort out, so it may
change, but when I fix stuff, I mention it here so just keep an eye on
the list if you set up your own copy.
What I've got isn't particularly pretty, just functional. If you do
make changes that make it better, I'd appreciate you sharing them.
http://www.kitterman.com/spf/validate.html
BTW, it supports Type99 (the SPF RR type).
Scott K
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com