On Tue 22/Nov/2022 16:41:44 +0100 Todd Herr via mailop wrote:
On Mon, Nov 21, 2022 at 2:00 PM Taejoong (tijay) Chung via mailop wrote:
The Sender Policy Framework (SPF) is an easy way to check whether the
sender is authorized to send emails – however, it may cause some security
holes if it causes too many DNS lookups.
Together with researchers from Virginia Tech and Max-Planck-Institut für
Informatik, we would like to understand which challenges operators face
when configuring the proper limit of DNS queries for SPF lookups and when
deploying other email security protocols.
I'm not quite sure I understand the premise behind the survey, and since I
don't manage email for any domain, I can't realistically take part in the
survey to learn the premise, so I'll try here.
The proper limit of DNS queries for SPF lookups is ten, per RFC 7208, and
*should* be baked into any code library used by an operator that is doing
SPF validation on inbound mail, so I don't see them facing challenges here.
On my MTA the (default) limit is 20. That looks consistent with Postel's
principle.
On the other hand, staying under the limit of ten for domains publishing
SPF records can be quite a challenge for complex organizations using
multiple services to send their email, and while there are known ways to
skin that cat, there isn't a universally adopted method for doing so.
Is the survey investigating problems faced by operators doing SPF
validation or operators publishing SPF records or both?
While we wait for Tijay's reply, let me anticipate that he works on a
"DNSSECFixer" project, which leverages machine learning techniques to
automatically fix incorrectly configured and insecure domains.[*]
As one of the few who took part in the survey, my guess is that it aims at a
bird's eye view of email operators' involvement in the configuration of
security features available in SMTP servers. Correct?
As the survey asks for the domain name where such features are configured, I
understand that that might sound as intelligence gathering for a targeted
attack. However, I don't reckon the survey collects any sensitive data.
Best
Ale
--
[*] https://cs.vt.edu/research/research-areas/security.html
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
