Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

Re: Digest 1.1306 for spf-discuss

  

 
SPF discuss RSS feed   Index | Next | Previous | View Threaded


spfdiscuss at alandoherty

Jan 22, 2009, 11:46 AM

Post #1 of 3 (1087 views)
Permalink
Re: Digest 1.1306 for spf-discuss
stuart wrote:

>On Wed, 21 Jan 2009, alan wrote:
>
>> >several have commented with all the v1 and v2 records in place and now a v3 on top
>> >will add too much byteweight to the response to a query for UDP to handle efficiently {or at all in some cases}
>> >
>> >this is a serious issue {was my problem with spf originally as it broke my standard of adding txt and rp records to most hosts
>> >{now just rp pointing to a txt container}
>> >
>> >so should we be considering a standard sub-zone for spf going forward?
>>
>> no its simpler to fix than that
>> just recommend anyone doing more than 1 form of spf and/or sender-id remembers about the issue and divides his records(s) appropriately
>> like thus
>>
>> domain.tld IN SPF "v=spf1 redirect=_spf1.%{o}"
>> domain.tld IN SPF "v=spf3 redirect=_spf3.%{o}"
>>
>> domain.tld IN TXT "v=spf1 redirect=_spf1.%{o}"
>> domain.tld IN TXT "spf2.0/mfrom,pra redirect=_spf2.%{o}"
>> domain.tld IN TXT "v=spf3 redirect=_spf3.%{o}"
>
>That puts all that TXT data into a UDP packet - thus the "byteweight" problem.
>One suggesting that *would* help is the standard subdomain:
>
>_spf.domain.tld IN SPF "v=spf3 ..."

no you mis-understand i was countering my own standard sub-domain argument with redirects as the solution
the 3 redirects to 3 separate {standard or entirly up to the user} subdomains carry less *byteweight* than an average spf and sender-id record combined

it also means the dns server with no spf at all wouldn't have to deal with the 2x load generated by the addition of a standard sub-domain to spf-clients {assuming they check domain if no spf-found for standard-sub-domain for backwards compatibility and query for both SPF then TXT dns RR's}

this way non spf publishers just see 2 lookups {spf then txt} {as they do now}
spf-publishers publish only redirects in the txt/spf for domain, to their own delegated role sub-domains

when as hoped spf v3 usurps all need for spfv1 and sender-id records. the spf1 and spf2.0 redirects and sub-zones can be dropped

clients read only the highest supported record type out of first query and thus only 1 of the followed sub-zones

and total *byteweight* of the largest record in the zone is only variable by length of sub-zone-name used
in my example about 64 out of of the max payload of 512 was used so plenty of room for spfv4 5 6 which {if we do it right once} hopefully won't happen



>--
>Stuart D. Gathman <stuart [at] bmsi>
>Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
>"Confutatis maledictis, flammis acribus addictis" - background song for
>a Microsoft sponsored "Where do you want to go from here?" commercial



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


stuart at bmsi

Jan 22, 2009, 6:33 PM

Post #2 of 3 (1005 views)
Permalink
Re: Digest 1.1306 for spf-discuss [In reply to]
On Thu, 22 Jan 2009, alan wrote:

> no you mis-understand i was countering my own standard sub-domain argument
> with redirects as the solution the 3 redirects to 3 separate {standard or
> entirly up to the user} subdomains carry less *byteweight* than an average
> spf and sender-id record combined

You are correct. I didn't notice the redirect. Very good compatible solution.
Might be able to make a bind macro or failing that a preprocessor.

The only drawback is that it uses up one of the 10 lookups.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at alandoherty

Jan 22, 2009, 9:29 PM

Post #3 of 3 (991 views)
Permalink
Re: Digest 1.1306 for spf-discuss [In reply to]
At 02:33 23/01/2009 Friday, Stuart D. Gathman wrote:
>On Thu, 22 Jan 2009, alan wrote:
>
>> no you mis-understand i was countering my own standard sub-domain argument
>> with redirects as the solution the 3 redirects to 3 separate {standard or
>> entirly up to the user} subdomains carry less *byteweight* than an average
>> spf and sender-id record combined
>
>You are correct. I didn't notice the redirect. Very good compatible solution.
>Might be able to make a bind macro or failing that a preprocessor.
>
>The only drawback is that it uses up one of the 10 lookups.

true but most would rather waste 1 on a careful redirect than kill future proofing

bonus of redirects for me is simply stick a %{o}. before the subdomain
and you have per user spf records

with either just records for exceptional users and a generic domain wide one under
*.sub.domain
or as i prefer
user1.sub.domain TXT "v=spf1 a:mail.domain -all"
user2
user3
*.sub.domain TXT "v=spf1 -all" << the case i would love to add an extra return code to spf3
for doesn't-exist {as in not fails{forged}
spf but just plain doesn't exist at all{invalid}}

where user1-x are all your valid users
{though if publishing sender-id on per user you must remember to also add postmaster@ and Mailer-Daemon@}
as these will be legit from's in any DSN's


I'm personally pro even firming things up in spf3 that say first record for a domain must be a redirect
{and make lookups allowed +1}
(thus current clients {at least ones already talking sfp1 and sender-id} adding support initially is easy{ish}, but enforcing the redirect can be added in later}

and still hoping for the alternative to -all {for use when only prior records have been redirects}
{or for clients to report a -all when all previous records have only been redirects} as an extra return code "invalid-address/helo"

as currently the receiver cannot tell these failures from users choosing to send mail from a source not listed in BIGISP-WITH-BAD-SPF's servers

I'd like to kill forgeries dead
{and follow receiving users preference for the other {most users choose to recieve{tagged} SPF failing mail} as a still significant amount of good mail is failing spf, guessing broken/outdated spf records for many}

>--
> Stuart D. Gathman <stuart [at] bmsi>
> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
>"Confutatis maledictis, flammis acribus addictis" - background song for
>a Microsoft sponsored "Where do you want to go from here?" commercial.
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.