spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Current spf record for comcast.net?

2007-02-10 05:28:39
At 11:16 AM 2/10/2007 +0000, Julian Mehnle wrote:
James Welcher wrote:
> My problem is that I don't want to allow a wide comcast.net CIDR block
> to be able to spoof my domains.
>
> It seems really problematic also to include 40 hosts via the a: syntax
> in the TXT record. I'm using DJB's tinydns and it has some issues with
> long TXT fields. It splits them over 127 characters (although
> according to the spec, most clients should be able to reconstruct),
> but over a certain length aproaching the 512 byte limit of UDP DNS
> packets, tinydns can't provide this data because DNS uses TCP for
> bigger records.
>
> Regardless... I'm trying to find a way to use SPF to add a list of
> arbitrary hosts without having to list them all individually, but
> without adding in monster CIDR block ranges.

There are two other solutions besides the one you described:

 1. Publish A records for their servers' IP addresses:
      91.225.127.204.comcast.spf.yourdomain.com.  IN  A  127.0.0.1
       51.177.18.206.comcast.spf.yourdomain.com.  IN  A  127.0.0.1
      ...
    and then say "exists:%{ir}.comcast.spf.%{d}" or something in your SPF
    record.  (This may not be more maintainable than your MX solution, but
    it is more general and allows for large, arbitrary sets of IP
    addresses.)

 2. If you're a Comcast customer, contact them and tell them that you'd
    like them to publish an SPF record (and keep it up to date).  Then
    "include:" that SPF record as soon as they publish it.

3. Use another ESP for your outbound. I use controlledmail.com: small but excellent service if you ever have a problem, and yahoo.com: no service, but huge clout with receivers. Yahoo doesn't publish an SPF record, but they do seem to police their entire IP range quite well.

-- Dave


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>