In <1153258155(_dot_)3892(_dot_)31(_dot_)camel(_at_)localhost> Andy Bakun
<spf2(_at_)leave-it-to-grace(_dot_)com> writes:
----------
FROM MSN
You will want to add the relevant IP addresses, and you will
want to
remove the PTR reference in your SPF. While this may change in
the
future, Hotmail does not currently support PTR references in SPF
records, and so will be unable to process your SPF correctly.
While I know that ptr records are suggested against, [...]
[...] is the fact that hotmail effectively claims
non-compliant/partial SPF checking a known issue?
About a year ago, I had a chance to talk with Harry Katz at the Email
Authentication Summit in NYC. While he didn't get into details, my
understanding is that Hotmail creates a cache of SPF results based off
of the domain name and IP address. Hotmail simply has too much
traffic to easily do SPF checking in realtime, so they only cache a
finite number of the most common (domain,ip) pairs. Anything that
can't be cached, such as the use of the s, l, o, or h macro variable,
will cause your record to not be used by hotmail.
I know of nothing that would indicate that the *existance* of those
macro variables or the ptr: mechanism would cause the SPF record to be
incorrectly processed. That is, I don't think they are simply
ignoring mechanisms that the can't cache or anything.
The ptr: mechanism is discouraged because the reverse DNS tree is so
badly maintained and has a huge number of IP address that are commonly
used by spammers that have name servers that time out, are very slow
or return errors. The ptr: mechanism, like the mx: mechanism also
requires a second level of lookup to make sure that forward and
reverse IP addresses match.
Now, what isn't obvious, or at least it wasn't obvious to me, is that
the ptr: mechanisms are very cachable. The same (domain,ip) pair will
always return the same result with the ptr: mechanism. So,
"mx:foo.com" and "ptr:foo.com" are actually about as expensive (modulo
rDNS timeouts). What was even less obvious is that multiple ptr:
mechanisms and multiple uses of the %{p} macro variable in the
evaluation of an SPF record require *no* additional lookups. The
domain ptr: mechanism is used as a string literal and is used for
comparing, it isn't looked up. So, "ptr:foo.com ptr:bar.org" is no
more expensive than just "ptr".
It is quite possible that the Hotmail folks overlooked this point and
simply decided that the ptr: mechanism is too expensive and not
implement it.
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com