spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: a suggestion for super-wildcards

2006-07-27 02:11:01
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug Barton wrote:

Hallam-Baker, Phillip wrote:

So the problem with policy is how to declare an email signing policy
for **.example.com that takes effect if there is no more specific
policy. The objective being to specify policies such as:

example.com     DKIM  "ALL mail is signed"
**.example.com  DKIM  "No mail is originated"


Ok, your problem statement makes total sense to me, but I think you're
missing a third option. I'm assuming that the DKIM protocol has a way to
handle total absence of a policy for a domain. So, what if you added a
heuristic to the DKIM protocol that says, "If I do not find a policy at
this node, I will go down the tree until I either find a policy, or hit
the TLD."

In regards to your problem of spammers that try sending mail from
1.2.3.4..99.spammer-domain.tld, if the spammers have control over that
domain and can add a node at that point, it will eat up resources to
walk that tree, no doubt.


We (the SPF folks) once debated doing such an upwards domain walk for SPF, 
but decided against it for exactly the reason you mention above.  It was 
simply deemed too costly.  Finding an applicable policy for a sub-domain 
is still an unsolved problem, though.


OTOH, if they are playing silly buggers with a domain they don't have
control over, I assume DKIM is smart enough to say that if there are NO
records at all for a node, that it isn't legitimate?


Yeah, mail with a non-existent domain as the sender (envelope sender, From/ 
Sender headers, whatever) should be rejected anyway.  The problem remains 
for sub-domains that actually exist.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEyILfwL7PKlBZWjsRAlZXAKCkBsZfCYIGwSdd2NLZGdpgdGVlCwCfa69H
zd1AgHikVbWw/0j5wWMShJU=
=W60X
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [spf-discuss] Re: a suggestion for super-wildcards, Julian Mehnle <=
Previous by Date:  [spf-discuss] Re: [spf-council] Control of name service for the openspf.* domains, Scott Kitterman
Next by Date:  [spf-discuss] Accreditation system news articles, wayne
Previous by Thread:  [spf-discuss] Re: [spf-council] Control of name service for the openspf.* domains, Scott Kitterman
Next by Thread:  [spf-discuss] Accreditation system news articles, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]