spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: How to mark domains that do / do not wish to receive email]

2008-03-31 00:55:30
Frank Ellermann wrote:
Alessandro Vesely wrote:

AFAIK, SPF specs still mandate to add a TXT or SPF record for each
subdomain. IME, that is one of the most frequent omissions in SPF
configurations. The current spec requires an SPF record for each
name that has either an MX or an A record. Except for tiny domains,
that requires a script, which is probably why many admins skip it.

Nobody is forced to publish a sender policy.  When folks do it
they will hopefully cover their HELOs and their mail addresses.

That implies the main usage for SPF is to discard misdirected bounces.

They can cover other A or AAAA domains like www.example, but it
is not strictly necessary when www.example has no MX and no SMTP.
"v=spf1 -all" can be good, it allows to reject forged mail from
any(_at_)www(_dot_)example(_dot_)

That causes no harm to the owners of the example domain, correct?

 The owners could also decide that misdirected
bounces to any(_at_)www(_dot_)example are no problem from their POV without
MX for or SMTP at www.example.

Why would they do so? That decision can be a problem for other domains, who will accept mail from any(_at_)www(_dot_)example as policy "neutral".

IMHO, a default more appropriate than "?all" might be preferrable.

Changing the default for v=spf1 would break an unknown number of
existing policies violating the SHOULD in RFC 4408 chapter 4.7.

Agreed

'More appropriate than "?all"', see ?  You dare not say "-all",
it could cause havoc for the idio^Wfolks not reading chapter 4.7.

:-)

an additional "default" modifier [...]
Won't fly for various reasons. [...]
Finally the zone cut idea was pulled, and declared to be a very
dead horse in a very big rathole.

That's true, I found the resolution here
http://www.openspf.org/Council_Resolution/21

For v=spf1 it's also not really necessary, because SPF is not
about anti-phishing as primary goal, it is primarily about good
vs. misdirected bounces, and for that issue it is not necessary
to cover all A / AAAA without SMTP.

Hm... that sounds like an undue limitation to SPF.

An alternative to having a zone cut is to campaign for the addition of "mail" RRs for each A record. A "mail" RR should be an SPF/TXT "v=spf1 -all", an MX 0 521-smtp-stub.example.com, or similar stuff. Would that be any better for either the domain owners or the mail community as a whole?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com