On Thu, 2004-10-07 at 21:12, Frank Ellermann wrote:
> Buchibabu wrote:
>
> > How to publish a TXT record which can be compatible for both
> > SPF and as well as Sender ID.
>
> Start your tests with one v=spf1 TXT record. That's supported
> by many existing implementations. There are really important
> differences between v=spf1 and spf2.0/pra, it's less confusing
> for you (and your users) if you start with v=spf1.
>
> > is there any way to publish these two records?
>
> Should be possible, as you say, two records.
>
> > When Microsoft queries my DNS it should pick only Sender ID
> > records and if AOL queries it should get the spf1 record.
>
> It's not only AOL, there are numerous SPF implementations, and
> they all pick the TXT record starting with v=spf1. Bye, Frank
More importantly spf2.0/pra is crap.
Secondly, a look to the RFC will aide in understanding (taken from
Section 3.1 of the RFC Draft):
> SPF clients MUST use only the records of the highest understood
> version published by a domain and ignore all lower versions, unless
> that version explicitly recognizes lower versioned responses.
>
> For example, if an SPF client understands versions 1, 2 and 3, and
> the DNS query results in records of version 1, 2 and 4, then only
> the record with version 2 is used.
>
> This specification describes version 1. If multiple "v=spf1" records
> are returned, the SPF client MUST reject them all and act as if no
> version 1 records were returned.
^^ *Pay PARTICULAR attention to this rule.
> SPF-like records of the form "v=spf1+ext" or "v=spf1.1" are not
> described by this document.
* We look to section 2.1 to get a better understanding of this:
> A domain MUST NOT return multiple records that begin with the
> version "v=spf1". If more than one "v=spf1" record is returned,
> this constitutes a syntax error and the result is "unknown".
>
> Note: The comparison is done on the entire version section (which is
> terminated either by a SP character, or the end of the TXT record).
> Hence, a record with a version of "v=spf10" is not considered a
> record with version "v=spf1".
If you wish to publish verbose records there are several ways to to
this, one of which is described in the latter portion of Section 2.1:
> In unusual situations, directives may require additional DNS records.
> If additional records are used, they MAY be published under the
> "_spf" subdomain. See Appendix B for examples.
>
> An SPF record MAY consist of a single TXT record with multiple
> strings. If such an TXT record is encountered, then an SPF client
> MUST concatenate those strings without adding spaces, eg
> TXT "v=spf1 .... first" "second string..."
> MUST be treated as equivalent to
> TXT "v=spf1 .... firstsecond string..."
>
> TXT records containing multiple strings are useful in order to
> construct more complex SPF records which would otherwise exceed
> the maximum length of a string within a TXT record.
>
> Note: Many nameserver implementations will silently split long
> strings in TXT records into several shorter strings.
An alternative way is to make use of the INCLUDE and REDIRECT mechanisms
and modifiers.
As regards parsers libSPF is somewhat forgiving as it tries its best to
rebuild records which appear out of order given the penchant for people
do publish records like:
blah.com IN TXT "v=spf1 a mx ptr ip4:1.2.3.4/24 ip4:5.6.7.8/24"
blah.com IN TXT "ip4:22.22.22.0/16 a:remote.customer.blah.com/29 ?all"
Although the above is not technically legal given the above stated
wording at the time of writing I tried to be as forgiving as possible.
I would advise however that you do publish in accordance with the rules
and test your SPF records against a validator such as the one available
on the spfTools.net site which runs the record against both libSPF as
well as a PHP SPF parser written by Richard (who started
spf.infinitepenguins.net).
http://spftools.net/check.php Cheers,
James
--
James Couzens,
Programmer
( ( (
((__)) __\|/__ __|-|__ '. ___ .'
(00) (o o) (0~0) ' (> <) '
---nn-(o__o)-nn---ooO--(_)--Ooo--ooO--(_)--Ooo---ooO--(_)--Ooo---
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7A7C7DCF -------
Archives at
http://archives.listbox.com/spf-help/current/ Donate!
http://spf.pobox.com/donations.html To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com