On Wednesday 21 June 2006 20:28, Alex van den Bogaerdt wrote:
On Wed, Jun 21, 2006 at 11:52:31PM +0200, Alex van den Bogaerdt wrote:
All right, I have a hard time thinking of any useful examples.
OK, what about this one:
Small provider "example" has one host, "example.com". This host
sends mail for domain "example.com".
They worry about possible cross-user forgery and follow Scott's
advice (I think it is primarily Scott?), publishing:
"v=spf1 ?example.com -all"
Sure, I agree it will be a minority but it may not be as far
fetched as you think.
Although I may harp on the issue a lot, it's not just me, it's RFC 4408:
http://new.openspf.org/svn/project/specs/rfc4408.html#cross-user-forgery
In the case of a single user domain like you are discussing, I don't think
cross-user forgery is an issue.
Although there are domains that use the same HELO argument for all their
servers (hotmail.com comes to mind, IIRC), I don't think that design is
consistent with the RFCs. From RFC 2821, para 3.6:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
For purists, RFC 821 is similar. From Para 4.1.1:
HELLO (HELO)
This command is used to identify the sender-SMTP to the
receiver-SMTP. The argument field contains the host name of
the sender-SMTP.
So, if a sender is using the same domain name instead of the individual
hostname to HELO/EHLO for multiple servers, then I believe that they are
engaging in non-standard behavior. While as a practical matter a receiver
may choose to ignore this behavior, I don't think anyone should feel
obligated to change their practices to support it.
For HELO/EHLO, I think rejecting anything that is not PASS or NONE is an
entirely reasonable receiver policy from a standards perspective. I can't
think of a reasonable scenario where a single standards compliant host should
not be able to positively identify themselves with a PASS if the sender
chooses to publish an SPF record for that hostname.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com