Stuart D. Gathman wrote:
mail.globalinkllc.com has no SPF record. However, their weird MX could
happen to a domain that does.
Currently, pyspf gets temperror for an MX mechanism and an MX record
with an empty name like the above.
What should the correct result be? Should the mechanism simply fail
to match? Or permerror?
--Julian Mehnle <julian(_at_)mehnle(_dot_)net> wrote:
I think it should yield a PermError.
Legalistic reason: "MX 0 ." is illegal because "." is not a valid FQDN, at
least not for what is generally considered an FQDN by the SPF
specification.
Practical reason: There is obviously a DNS configuration error that will
not go away on its own (TempError), so the domain owner should be notified
ASAP (PermError), similar to a syntax error in the domain's SPF record.
FYI, I have seen "name MX 0 ." used before, as a signal that the domain
name accepts no mail (even if it has an A record). The "smart" thing would
probably be to treat it as "-all" if it's the primary domain being queried,
but there are other ways that SPF could be "made smarter" that we haven't
done in the past, because simple is usually better than smarter. (An
example might be name MX 0 localhost; localhost A 127.0.0.1). For that
matter, if we make SPF do something "smart" in this case, we then have to
decide what happens in the case of +mx:my.isp.com if that becomes a
not-for-email domain. I would probably suggest to not mention this special
case in the spec and treat it like any MX record that points to a domain
with no A records.
I believe "." is a perfectly valid domain name - it is the name of the
root. (Try "dig . ns"). I also believe most resolver libraries will
recognize "." as a valid domain that has no A records. But if a resolver
mistakenly gives a DNS error instead, that would probably be OK too, for
SPF's purposes.
If any SPF implementation scans MX records and removes the trailing "."
from them, manually, before doing the A lookup, that's probably an error.
MX records should come with "." at the end and that should be preserved.
The dot at the end of a domain name is often dropped and usually optional,
except for the root domain "." But resolvers know this and they should all
do the right thing when . appears at the end, so shaving it off is an
unnecessary step that leads to problems in this one case.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com