Hello all, and thanks for the help you've been providing folks here.
I've been using SPF successfully for years now, and I've also been using IPv6 for years. But I just recently realized that I may have a problem with my SPF records, depending on the definition of the mechanisms.
In particular, I have the following records for my primary mail host:
punctilious.kempt.net. IN A 198.179.16.73
punctilious.kempt.net. IN AAAA 2001:470:e05c:2::c0ff:ee:2
punctilious.kempt.net. IN TXT "v=spf1 a -all"
I've always figured that was what I wanted for the host SPF record, but reading the description of the "a" mechanism on <http://www.openspf.org/SPF_Record_Syntax#a>:
> All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
>
> If domain is not specified, the current-domain is used.
>
> The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.
I guess I always thought of "a" as "address," including both IPv4 and IPv6 addresses, but the documentation quoted above specifically mentions the A record, which of course is the IPv4 half of that.
Will connections from my host over IPv6 be rejected by IPv6 implementations out there? Should they be? (If, say, all known implementations running on MTAs that support connections over IPv6 will allow this, then I'll relax a bit, but still be concerned if this is not the intention of the specification.) I note that there is no corresponding "aaaa" mechanism, which supports the idea that "a" is really "address," and not "A record."
A similar, but less direct example, is in the SPF record I have set for the domain avernus.com:
avernus.com. IN TXT "v=spf1 mx a:mail.fgm.com -all"
There, I use the "mx" mechanism (the a:mail.fgm.com is a simple case, since it only has an IPv4 address), and two of the three MX hosts involved have an IPv4 address as well as at least one IPv6 address. I know I could simply specify all those addresses using "ip4" and "ip6" mechanisms and reduce DNS traffic in the process, but, especially with IPv6, the addresses are very long, numerous, and subject to change every once in a while. I don't want to end up with an out-of-date SPF record.
The "mx" mechanism specifies:
> All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.
>
> If domain is not specified, the current-domain is used.
>
> The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.
Really? Only the A records? If that's the case, then any MTA receiving mail from this host over IPv6 could rightfully reject it. Is that really the intent? And again, how about the implementations out there?
Thanks for any insight,
- Geoff
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
I've been using SPF successfully for years now, and I've also been using IPv6 for years. But I just recently realized that I may have a problem with my SPF records, depending on the definition of the mechanisms.
In particular, I have the following records for my primary mail host:
punctilious.kempt.net. IN A 198.179.16.73
punctilious.kempt.net. IN AAAA 2001:470:e05c:2::c0ff:ee:2
punctilious.kempt.net. IN TXT "v=spf1 a -all"
I've always figured that was what I wanted for the host SPF record, but reading the description of the "a" mechanism on <http://www.openspf.org/SPF_Record_Syntax#a>:
> All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
>
> If domain is not specified, the current-domain is used.
>
> The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.
I guess I always thought of "a" as "address," including both IPv4 and IPv6 addresses, but the documentation quoted above specifically mentions the A record, which of course is the IPv4 half of that.
Will connections from my host over IPv6 be rejected by IPv6 implementations out there? Should they be? (If, say, all known implementations running on MTAs that support connections over IPv6 will allow this, then I'll relax a bit, but still be concerned if this is not the intention of the specification.) I note that there is no corresponding "aaaa" mechanism, which supports the idea that "a" is really "address," and not "A record."
A similar, but less direct example, is in the SPF record I have set for the domain avernus.com:
avernus.com. IN TXT "v=spf1 mx a:mail.fgm.com -all"
There, I use the "mx" mechanism (the a:mail.fgm.com is a simple case, since it only has an IPv4 address), and two of the three MX hosts involved have an IPv4 address as well as at least one IPv6 address. I know I could simply specify all those addresses using "ip4" and "ip6" mechanisms and reduce DNS traffic in the process, but, especially with IPv6, the addresses are very long, numerous, and subject to change every once in a while. I don't want to end up with an out-of-date SPF record.
The "mx" mechanism specifies:
> All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.
>
> If domain is not specified, the current-domain is used.
>
> The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.
Really? Only the A records? If that's the case, then any MTA receiving mail from this host over IPv6 could rightfully reject it. Is that really the intent? And again, how about the implementations out there?
Thanks for any insight,
- Geoff
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com