spf-discuss
[Top] [All Lists]

[spf-discuss] Re: spfd options / features

2007-01-13 15:55:34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan_Mitton(_at_)notes(_dot_)ymp(_dot_)gov wrote:
I'm just starting to get into this, so partly, I'm trying to check my
understanding...

It seems like a valid email message must pass 3 spf checks:  HELO, MAIL
FROM, mail header From.  For valid messages, it seems like this
information will generally (not guaranteed, but generally) be the same
(HELO domain = MAIL FROM domain = mail header From domain).  If that is
true, spfd is doing the same 3 DNS queries (ip address, spf record, txt
record) (plus more if it needs to check for mx, ptr, i, etc.) for each
of the 3 checks (HELO, MAIL FROM, header From:).  Is there some way for
spfd to cache these results?  That would cut the per message DNS queries
by 67% !!  A configurable timeout per cache entry would be nice, but
even if the cache was only valid for 1 minute, it would be enough to
cache all the answers for a given message.

Is there a way to (for now until SPF type DNS records are more
prevalent) configure spfd to not look for spf type ( 99 ) DNS records? 
This would cut my DNS queries by another 33% per message.

If there is a way to do both, that would cut the number of DNS queries
for simple SPF records from 9 per message to 2 per message.

Is there a way for "pre-fork'ing" and maintaining a few spfd child
processes (like apache does), so as not having to start up new processes
as often?

All of this depends on the specific spfd implementation, of which there are 
several.  However, I don't think that either DNS RR caching or pre-forking 
is supported by any of them.

The reason why DNS RR caching isn't usually implemented within spfd or SPF 
library implementations (there are exceptions, though) is that your DNS 
resolver server already has a cache.  DNS traffic still occurs between the 
SPF checker and the resolver, but that's usually within the same network 
and is thus harmless.

About SPF-RR-type checking, I think the only spfd implementation that 
currently does it in the first place is the one shipped with Mail::SPF.
I think I'm going to add an option to Mail::SPF and spfd/spfquery for 
choosing what RR types to check.  This should serve any such needs.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFqWMAwL7PKlBZWjsRAq5oAKD1o405J3NH3p3vOYC73w8kDwMq6gCfV1Os
Uh0zZi1pnt6yFUoygsMW+JU=
=TkKl
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735