Dominik George wrote: > if i would be you i would *not* use "v=spf1 mx ~all" > here you go for ipv6 > > > http://www.openspf.org/SPF_Record_Syntax#ip6 > > Jeez, I don't believe it. The problem is that the mx mechanism simply > only enumerates A records of MXs. That's broken ...
Wietse wrote: > That's retarded. I wonder how many sites have been bitten by that bug. Joni wrote: > The only place I've seen this problem with the lookup of IPv6 addresses via > the 'mx' construct in SPF records was Gmail, which was resolved, and > recently some small local operator who kept insisting that the problem was > on our side until the evidence was so overwhelmingly pointing to his own > setup that he could no longer ignore it. > > He made the same claim, however, but never backed it up. How are you > reaching your conclusion? > > Because this only mentions A records and IPv4 prefixes? > http://www.openspf.org/SPF_Record_Syntax#mx That http://www.openspf.org/SPF_Record_Syntax wiki page is wrong, or misleading in the least. The SPF specification in RFC 4408 does not fall into this trap, it talks about a (generic) <ip> address. Some excerpts from RFC 4408: When any mechanism fetches host addresses to compare with <ip>, when <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6 address, AAAA records are fetched. 5.3. "a" This mechanism matches if <ip> is one of the <target-name>'s IP addresses. A = "a" [ ":" domain-spec ] [ dual-cidr-length ] An address lookup is done on the <target-name>. The <ip> is compared to the returned address(es). If any address matches, the mechanism matches. 5.4. "mx" This mechanism matches if <ip> is one of the MX hosts for a domain name. MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] check_host() first performs an MX lookup on the <target-name>. Then it performs an address lookup on each MX name returned. The <ip> is compared to each returned IP address. [...] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] Mark
