On 7/19/06, wayne <wayne(_at_)schlitt(_dot_)net> wrote:
In <1153258155(_dot_)3892(_dot_)31(_dot_)camel(_at_)localhost> Andy Bakun
<spf2(_at_)leave-it-to-grace(_dot_)com> writes:
> ----------
> FROM MSN
>
> You will want to add the relevant IP addresses, and you will
> want to
> remove the PTR reference in your SPF. While this may change in
> the
> future, Hotmail does not currently support PTR references in SPF
> records, and so will be unable to process your SPF correctly.
>
> While I know that ptr records are suggested against, [...]
> [...] is the fact that hotmail effectively claims
> non-compliant/partial SPF checking a known issue?
About a year ago, I had a chance to talk with Harry Katz at the Email
Authentication Summit in NYC. While he didn't get into details, my
understanding is that Hotmail creates a cache of SPF results based off
of the domain name and IP address. Hotmail simply has too much
traffic to easily do SPF checking in realtime, so they only cache a
finite number of the most common (domain,ip) pairs. Anything that
can't be cached, such as the use of the s, l, o, or h macro variable,
will cause your record to not be used by hotmail.
I know of nothing that would indicate that the *existance* of those
macro variables or the ptr: mechanism would cause the SPF record to be
incorrectly processed. That is, I don't think they are simply
ignoring mechanisms that the can't cache or anything.
The ptr: mechanism is discouraged because the reverse DNS tree is so
badly maintained and has a huge number of IP address that are commonly
used by spammers that have name servers that time out, are very slow
or return errors. The ptr: mechanism, like the mx: mechanism also
requires a second level of lookup to make sure that forward and
reverse IP addresses match.
Now, what isn't obvious, or at least it wasn't obvious to me, is that
the ptr: mechanisms are very cachable. The same (domain,ip) pair will
always return the same result with the ptr: mechanism. So,
"mx:foo.com" and "ptr:foo.com" are actually about as expensive (modulo
rDNS timeouts). What was even less obvious is that multiple ptr:
mechanisms and multiple uses of the %{p} macro variable in the
evaluation of an SPF record require *no* additional lookups. The
domain ptr: mechanism is used as a string literal and is used for
comparing, it isn't looked up. So, "ptr:foo.com ptr:bar.org" is no
more expensive than just "ptr".
It is quite possible that the Hotmail folks overlooked this point and
simply decided that the ptr: mechanism is too expensive and not
implement it.
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
As far as I can understand, Hotmail is seriously broken right now:
http://www.emailaddresses.com/forum/showthread.php?s=&threadid=44332
Mark Wolk
New Zealand Splendeur Tours
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com