On Tue, Sep 06, 2005 at 06:03:40PM -0400, Stuart D. Gathman wrote:
On Tue, 6 Sep 2005, paddy wrote:
PTR (reverse DNS) should not be used for email authentication because
it is not under the control of the domain owner.
How is it any more or less under the control of the domain owner than
the A record ?
Because I as a domain owner have ABSOLUTELY NO ACCESS to the PTR records
for my IP addresses. I am a domain owner, not an IP address owner. I am
completely at the mercy of the competence and attention (or lack
thereof) of my ISP. Broadband ISPs are a (rant deleted) monopoly in most
areas, and so switching ISPs is not an option. This is true even
for "business" accounts.
Stuart,
apologies for taking so long to respond. I realise I'm going over the
same ground with several correspondents in the same thread. So, I'm
going to try to keep this brief, rather than go point by point. I am
happy to go back to any specific point, if you wish.
I sympathise. Really I do. Even though I don't have the specific
problem you describe, I've had similar ones, and no doubt will again.
The main reason i even started to discuss this was because
it was something that I had always imagined to be straightforward.
I make no magic claims for the healing properties of looking up the PTR.
It won't prevent forgery, stop spam, guarantee a return address, or save
the world before teatime. It may not even be terribly useful.
I certainly DON'T advocate rejecting mail on the basis of it.
It does seem to be implied in the context of "domain name ... corresponds
to the IP address". To me, at least :)
I didn't invent it (at least I'm hoping I haven't ;)
It _is_ something that sendmail, and (no doubt at least some) other MTAs do.
Actually I'm sure I've had some good use from it, somewhere over the years.
All I'm saying is:
Its nice to set things up right if you can.
Its interesting to know what is possible, as a guide to what might be right.
Please understand that I'm emphatically _not_ advocating the use
of PTR lookups to reject mail, nor am I (AFAIK) talking about anything
spf specific.
I was simply saying "I always thought it was done like ..." on a subject I
(clearly) haven't otherwise expended much thought on.
When it was suggested that there might be a really good reason why you
couldn't do that on a multi-homed host, my curiousity was aroused.
I'm still really interested to hear good technical reasons why it
shouldn't be set up the way I've always imagined.
The fact that there is breakage out there barely counts as information,
but does answer a question that was being asked, which is why I posted
that link in the first place.
Sorry to cut so much, but hopefully we will escape from what I'm sure
must be some kind of confusion.
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com