Hello,
I have faced with an interesting question while working on our SPF
implementation.
Take the SPF record "v=spf1 a mx ptr -all". The "a" mechanism has no
argument, so the domain used will be the envelope sender domain (or
the HELO domain), say "example.org". During the evaluation, it turns
out that example.org does not have an A RR. Ooops.
The question is: shall this result in a DNS error (1), in no-match (2,
just like if the record data did not match with the checked IP) or
should be ignored (3)?
Obviously, a parameterless "a" without an A RR is stupid. Just another
DNS lookup for nothing. However, when there is a macro parameter that
extends using a session data-dependent macro like "c" (client IP) or
"l" (sender local part), it may make sense.
Our SPF implementation currently uses (1), i.e. we treat this as an
error, but I have noticed that the SPF checker at
http://www.dnsstuff.com/pages/spf.htm says PASS if mx/ptr matches, so
it silently ignores the missing record (3).
Unfortunately SPF Classic (that I am implementing) is not very clear
on what is an error and what is not.
Your comments are welcome.
Best regards,
Peter Karsai
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
I have faced with an interesting question while working on our SPF
implementation.
Take the SPF record "v=spf1 a mx ptr -all". The "a" mechanism has no
argument, so the domain used will be the envelope sender domain (or
the HELO domain), say "example.org". During the evaluation, it turns
out that example.org does not have an A RR. Ooops.
The question is: shall this result in a DNS error (1), in no-match (2,
just like if the record data did not match with the checked IP) or
should be ignored (3)?
Obviously, a parameterless "a" without an A RR is stupid. Just another
DNS lookup for nothing. However, when there is a macro parameter that
extends using a session data-dependent macro like "c" (client IP) or
"l" (sender local part), it may make sense.
Our SPF implementation currently uses (1), i.e. we treat this as an
error, but I have noticed that the SPF checker at
http://www.dnsstuff.com/pages/spf.htm says PASS if mx/ptr matches, so
it silently ignores the missing record (3).
Unfortunately SPF Classic (that I am implementing) is not very clear
on what is an error and what is not.
Your comments are welcome.
Best regards,
Peter Karsai
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com