Boyd Lynn Gerber wrote:
On Thu, 31 Jul 2008, Scott Kitterman wrote:
SPF works fine with CNAMES. If their implementation can't follow
the CNAME, then it's broken (I coded part of the CNAME support in
pyspf and I know other libraries support it too).
I know pyspf supports it. I just do not understand where this came
from. The only thing I could find was that maybe a CNAME was being
used. But a dig did give me the apporiate TXT record which should
have allowed them to get an SPF fail.
It depends on exactly where're you're using the CNAMEs. Say your main domain is
bar.tld and it looks like:
@ORIGIN bar.tld
A 192.168.1.1
MX 10 mail.bar.tld
mail A 192.168.1.1
mail MX 10 mail.bar.tld
alias CNAME mail.bar.tld
If you have the domain foo.tld and it has
@ORIGIN foo.tld
CNAME bar.tld
then you're good.
If you have both a CNAME for foo.tld *and* an MX record:
@ORIGIN foo.tld
CNAME bar.tld
MX 10 mail.bar.tld
then your zone isn't RFC-compliant; you can't have CNAME co-exist with A, MX,
or other types of RRs at the same domain level.
If you have this for foo.tld:
@ORIGIN foo.tld
A 192.168.1.1
MX 10 alias.bar.tld
then your zone isn't RFC-compliant; you must point an MX record to an A record,
not a CNAME record.
None of these issues are SPF-specific, however, so it doesn't change the fact
that whatever notification messages you're getting are very messed up.
--
Devin L. Ganger, Exchange MVP Email: deving(_at_)3sharp(_dot_)com
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com