On Jan 24, 2012 at 10:36 -0500, Scott Kitterman wrote: =>* Updated the r= definition to only use localparts and append the SPF domain.
How will this work for sites that publish "null" SPF records (<http://www.openspf.net/FAQ/Common_mistakes#all-domains>)? By publishing a "null" SPF record the domain part is not suppose to be used for email. But if the site wanted to get reports for attempts to use that domain, how would they? Sending to <localpart-addr>@<non-mail-domain> won't work. Similar issue with "HELO" SPF records (<http://www.openspf.net/FAQ/Common_mistakes#helo>). For example with the following DNS/SPF records: (I hope I don't have any errors below. :) example.com TXT "v=spf1 ip4:192.168.1.25 ip4:192.168.1.81 -all r=postmaster" MX 10 mail.example.com mail.example.com A 192.168.1.25 TXT "v=spf1 -a -all r=postmaster" www.example.com A 192.168.1.80 TXT "v=spf1 -all r=postmaster" websrv1.example.com A 192.168.1.81 TXT "v=spf1 -a -all r=postmaster" Example 1: A message is sent from mail.example.com's IP address. (connection source IP is from 192.168.1.25) HELO mail.example.com --> SPF HELO check = Pass MAIL FROM:<[email protected]> --> SPF MAIL FROM check = Pass No report generated. Example 2: A message sent from their web server. (www.example.com IP is a virtual interface on the "websrv1" box.) (connection source IP is from 192.168.1.81) HELO websrv1.example.com --> SPF HELO check = Pass MAIL FROM:<[email protected]> --> SPF MAIL FROM check = Pass No report generated. Example 3: A message sent from a system not authorized (connection source IP is from 172.16.1.100) HELO mail.example.com --> SPF HELO check = Fail A report should be created (if I understand the concept of this draft) with r=postmaster for the mail.example.com SPF record being sent to <[email protected]>. But mail.example.com is not used as a domain for mail delivery. No MX record, but in this case the A record is listening on port 25 is not configured to accept mail for messages addressed to @mail.example.com. Example 4: A message sent from a system not authorized (connection source IP is from 172.16.1.100) HELO dsl-100.1.16.172.big-isp.example.net --> no SPF published = Pass MAIL FROM:<[email protected]> --> SPF MAIL FROM check = Fail As with example 3, sending a report to <[email protected]> won't work. No MX record and the A record is not even listening on port 25. Does the last two example makes sense or am I missing something? == *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ *********************************************************************** _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
