Frank Ellermann wrote:
David Gravereaux wrote:
You'd think that Meng Wong's company could have gotten their
own implementation correct.
You're their customer, just tell them how to fix it - if you're
not sure we could work it out here, or better on the help list.
With Ralf's help, he got me seeing the problem clearly and where the bad
data was coming from. It purely is a problem of DNS publishing solely
at pobox itself. Over three weeks I've been complaining to pobox
customer support with little response on their part. Lest this turns
into a rant, I'll stop now instead.
I had a similar problem last year with "my" (vanity domain) SPF
policy. Somehow I "thought" that this is all easy, "of course"
policies include subdomains - at this time I hadn't read the
complete spec. with its "zone cut" concept, all I knew was that
include_subdomains=yes was an obsolete modifier.
I'm not sure I see how this relates. The redirect modifier for
pobox.com (the domain) is `redirect=%{l1r+}._at_.%{o}._spf.%{d}` which
expands for me as `davygrvy_at_.pobox.com._spf.pobox.com`. The TXT
query on that gives me `v=spf1 ?all`. My per-user policy is set as
`v=spf1 include:freenode.net -all`.
`v=spf1 ?all` does not equal `v=spf1 include:freenode.net -all`
If I nose around a little and look at the per-user policy of the tech
support email `pobox._at_.pobox.com._spf.pobox.com` I get `v=spf1 -all`
They get a strict 'all' rule. Lucky them. So something in their DNS is
working right.
In reality nobody starting with the reference implementation
had implemented this "zone cut" idea. Therefore I told my ISP
that their new SPF record is fine but doesn't protect my vanity
host, and they added a "v=spf1 redirect=claraanet.de" wildcard.
Some weeks later I found that my intuition wan't too bad, there
was the "zone cut" concept in the spec. at this time, and Wayne
explained how it was supposed to work. First time that I ever
tested the effect of `nslookup -q=ns`.
About nine month later the SPF Council gave up, and this "zone
cut" was removed from the spec.: Apparently DNS theory and DNS
reality are too different for some practical purposes. <shrug>
In other words, it's fairly easy to get SPF wrong. Tell them
(pobox) where they find some nice SPF validators. I doubt that
Meng is aware of this pobox issue, or still responsible for the
implementation of per-pobox-user sender policies. It's broken
for almost a year wrt Wayne's drafts incl. the final SPF spec.
Bye, Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com