Alex van den Bogaerdt <mailto:alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
wrote on Monday,
January 29, 2007 5:48 PM -0600:
On Mon, Jan 29, 2007 at 03:46:52PM -0600, Seth Goodman wrote:
When applied to a HELO FQDN, the recipient must extract the domain
from the FQDN to pass on to check_host() regardless. Check_host()
needs the domain to fetch the SPF record, so this is not optional.
The HELO FQDN itself must resolve to an IP designated by the SPF
record, but the HELO name itself does not have to be listed.
Ugh...
You seem to lack basic understanding of the difference between zone
and domain.
I made an error, but not what you suggest. I was erroneously thinking
of the method of zone cuts to allow subdomain names without individual
SPF records, and because I don't care much about checking HELO names, I
forgot that we removed that shortcut a long time ago. As written
without a ptr: mechanism, my example was wrong, and I'll correct that in
another post. However, some of your criticisms are wrong.
example.com. A 1.2.3.4
www CNAME example.com.
ftp CNAME example.com.
asterisk A 1.2.3.5
inbound1 A 1.2.3.6
inbound2 A 1.2.3.7
outbound1 CNAME inbound1.example.com.
outbound2 CNAME inbound2.example.com.
MX 5 inbound1.example.com.
MX 9 inbound2.example.com.
TXT "v=spf1 a:outbound1.example.com
a:outbound2.example.com -all"
Ugly. Please do not follow this example. List only hosts
that are "A", not "CNAME", in your SPF records.
A(inbound1.example.com) directly results in 1.2.3.6
A(outbound1.example.com) needs an extra lookup, via CNAME.
While not perfectly efficient, this is not a problem. It is no more a
problem than the requirement that MX must be a host defined in an A
record, which always generates an "extra" query. If you want the
ultimate in DNS efficiency, don't use any CNAME's in your zone. Many
people use them to make maintenance easier despite the additional lookup
they always require, and that's why DNS provides them.
This SPF record will result in:
PASS for the following HELO names from IP 1.2.3.6 or 1.2.3.7:
outbound1.example.com
This is not a valid principal hostname, and must not be used for HELO.
See RFC 2821 section 4.1.4
While technically correct, this is not enforced to date as doing so
causes far too much breakage. Real systems have to accept mail with
HELO names that don't meet this requirement. This was an example, not a
recommendation on how to set up a DNS zone or a group of mail hosts.
The setup in my example is not recommended, but for a different reason:
while the reverse zones are not shown, the CNAME implies there are no
PTR records designating the outbound hosts, and that will cause you
delivery problems at fussy recipients.
There is less flexibility in this than hostname(_at_)domain, but for
our
That is a mailbox address, not a hostname. The FQDN for a host is
normally in the form host.example.com, but the only requirement is
that it resolves to an IP.
False.
Let me be more specific. A hostname is composed of labels separated by
dots. Each label can include only letters, digits and hyphens, along
with other minor restrictions. "hostname(_at_)domain" is not a legitimate
hostname in DNS because it contains an illegal character (and there is
no dot). The "@" tells you it is a mailbox address, and that would only
be valid if the domain part includes a dot separating the TLD from the
second level domain.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735