Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
Virtual domains and equality of SPF records
vesely at tana
Jul 3, 2009, 10:49 AM
Post #1 of 5 (3791 views)
Permalink
Hi,

I write this note in case someone is going to write a new version of
the standard: an equality relationship between SPF records is not
currently defined.

SPF cannot be used to identify that two mail domains work in the same
way. If two domains share the same set of hosts for inbound and
outbound mail, then one would call them virtual (or vanity) domains.
Recognizing such a state of affairs can simplify tasks related to
recognizing accountability to an organization for messages that they
send on behalf of one of those mail domains.

While it is fairly simple to check that two domains share at least one
primary MX (which can be done without comparing IP addresses), a
similarly obvious test for SPF does not exist. Usage of the "include"
mechanism is fairly obvious, but not quite standardized, nor mandated.
Would it make sense to require that an SPF record for a virtual domain
contains _exactly_ a specified form of "include"?

Currently, to recognize that two SPF records are equal, it seems
necessary to run the check function for the whole address space. Or is
there a feasible method?


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Virtual domains and equality of SPF records [ In reply to ]
gcerullo at pixelpointstudios
Jul 3, 2009, 11:36 AM
Post #2 of 5 (3648 views)
Permalink
On 3-Jul-09, at 1:49 PM, Alessandro Vesely wrote:

> Hi,
>
> I write this note in case someone is going to write a new version of
> the standard: an equality relationship between SPF records is not
> currently defined.
>
> SPF cannot be used to identify that two mail domains work in the
> same way. If two domains share the same set of hosts for inbound and
> outbound mail, then one would call them virtual (or vanity) domains.
> Recognizing such a state of affairs can simplify tasks related to
> recognizing accountability to an organization for messages that they
> send on behalf of one of those mail domains.
>
> While it is fairly simple to check that two domains share at least
> one primary MX (which can be done without comparing IP addresses), a
> similarly obvious test for SPF does not exist. Usage of the
> "include" mechanism is fairly obvious, but not quite standardized,
> nor mandated. Would it make sense to require that an SPF record for
> a virtual domain contains _exactly_ a specified form of "include"?
>
> Currently, to recognize that two SPF records are equal, it seems
> necessary to run the check function for the whole address space. Or
> is there a feasible method?
>


I think 'redirect' is tan acceptable method to address this. At least
that's what I use.

Set up one SPF policy for the main domain and then redirect all
virtual domains that use the same parameters to the main domain's SPF
policy.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Virtual domains and equality of SPF records [ In reply to ]
stuart at bmsi
Jul 3, 2009, 1:05 PM
Post #3 of 5 (3636 views)
Permalink
On Fri, 3 Jul 2009, Gino Cerullo wrote:

> On 3-Jul-09, at 1:49 PM, Alessandro Vesely wrote:
> >I write this note in case someone is going to write a new version of the
> >standard: an equality relationship between SPF records is not currently
> >defined.
>
> I think 'redirect' is tan acceptable method to address this. At least that's
> what I use.
>
> Set up one SPF policy for the main domain and then redirect all virtual
> domains that use the same parameters to the main domain's SPF policy.

Also, 'include' does *not* make an equivalent policy, since it
effectively means 'if-pass'. A policy whose only mechanism is a
redirect is equivalent to the redirected domain (modulo macros?).

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Virtual domains and equality of SPF records [ In reply to ]
scott at kitterman
Jul 3, 2009, 5:48 PM
Post #4 of 5 (3645 views)
Permalink
On Fri, 3 Jul 2009 16:05:55 -0400 (EDT) "Stuart D. Gathman"
<stuart@bmsi.com> wrote:
>On Fri, 3 Jul 2009, Gino Cerullo wrote:
>
>> On 3-Jul-09, at 1:49 PM, Alessandro Vesely wrote:
>> >I write this note in case someone is going to write a new version of the
>> >standard: an equality relationship between SPF records is not currently
>> >defined.
>>
>> I think 'redirect' is tan acceptable method to address this. At least
that's
>> what I use.
>>
>> Set up one SPF policy for the main domain and then redirect all virtual
>> domains that use the same parameters to the main domain's SPF policy.
>
>Also, 'include' does *not* make an equivalent policy, since it
>effectively means 'if-pass'. A policy whose only mechanism is a
>redirect is equivalent to the redirected domain (modulo macros?).
>

Yes. In general redirect is better when domains are within the same
administrative boundary and include works better when you cross an
administrative boundary.

Back to the original question: All an SPF record is is a group of
mechanisms that can be reduced to an IP address. There is no way to
dictate a particular arrangement of them that is "required" when an
alternate record would correctly describe the IP addreses the domain owner
wishes to authorize.

I suspect that you are trying to read more into the data than can
reasonably be found there.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: Virtual domains and equality of SPF records [ In reply to ]
vesely at tana
Jul 5, 2009, 2:32 AM
Post #5 of 5 (3639 views)
Permalink
Scott Kitterman wrote:
> On Fri, 3 Jul 2009 16:05:55 -0400 (EDT) "Stuart D. Gathman"
> <stuart@bmsi.com> wrote:
>> On Fri, 3 Jul 2009, Gino Cerullo wrote:
>>
>>> On 3-Jul-09, at 1:49 PM, Alessandro Vesely wrote:
>>>> I write this note in case someone is going to write a new version of the
>>>> standard: an equality relationship between SPF records is not currently
>>>> defined.
>>> I think 'redirect' is tan acceptable method to address this. At least
> that's
>>> what I use.
>>>
>>> Set up one SPF policy for the main domain and then redirect all virtual
>>> domains that use the same parameters to the main domain's SPF policy.
>> Also, 'include' does *not* make an equivalent policy, since it
>> effectively means 'if-pass'. A policy whose only mechanism is a
>> redirect is equivalent to the redirected domain (modulo macros?).

Thanks to all!

For some reason, redirect=_spf.example.com is suggested less often
than include in spf-help posts.

> Yes. In general redirect is better when domains are within the same
> administrative boundary and include works better when you cross an
> administrative boundary.

Fine. The last paragraph in section 5.2 is less precise (as it adds
"or even mx:example.com".)

> Back to the original question: All an SPF record is is a group of
> mechanisms that can be reduced to an IP address. There is no way to
> dictate a particular arrangement of them that is "required" when an
> alternate record would correctly describe the IP addreses the domain owner
> wishes to authorize.

Yeah. There would be a way _if_ SPF wanted to define an equality
relationship. In that case, something along the lines of either
bytewise equality or redirect to the other would be viable, even if
alternative "unequal" records can produce identical results.

> I suspect that you are trying to read more into the data than can
> reasonably be found there.

Correct. The idea was to match the mail domain in ehlo (actually
vhlo) with the right hand side of the sender's address, in order to
consider virtual domains "compatible" with one another in some
cases. Comparing their MX records is feasible, but semantically more
distant.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal