On 2011-07-01 at 19:29 -0700, Lynda wrote:
> It doesn't make sense (why have an SPF entry in the DNS if you're not
> going to use it), but there it is.
This is a lesson in "what the standards say" vs "what you do
operationally". Aka "suffer the politics and then do what works".
The SPF record type exists because some hardcore DNS folks are opposed
to storing structured data in TXT records.
I don't think I'm misrepresenting them when I say that they argue that
using TXT records like this means that you can't programmatically tell,
just by the RR type, what will be in the data; and that if you put the
data directly on the domain itself, you end up with 42 different TXT
records for different purposes, which all have to be retrieved, just for
most of them to be ignored, and that you risk blowing past the
512/EDNS0-raised size limits for UDP responses.
I have a lot more sympathy for the second argument. It's counterable by
designing your protocol to ask for a specific _prefix of the desired
domain; eg, all DKIM stuff is under _domainkey.${domain_in_question}.
So, to satisfy the DNS folks, as part of getting SPF published as an RFC
(4408), the SPF RR type was created.
Approximately nothing uses the SPF RR type. Given the hassles of
getting most people to do any sort of updates to their mail setup of
things which used to work, I don't see this changing significantly any
time soon. A big provider going crazy and starting to demand SPF
instead of TXT would do it, but I don't see that happening.
So, to use SPF, you:
* publish a TXT record
* optionally publish an SPF record too, for brownie points with
conformance test suites but not for deliverability
And seriously, use DKIM. And if you run mailing-lists, read
draft-ietf-dkim-mailinglists-12.txt, available as:
http://tools.ietf.org/html/draft-ietf-dkim-mailinglists-12
DKIM is more work to set up, but worth it if you care about
deliverability to large providers and being able to move datacenters or
otherwise change IPs used for sending outbound mail without seeing your
mail delivery success rate plummet. It lets receivers tie sender
reputation to mail domains, instead of IPs.
-Phil
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
