Re: [spfbis] [dmarc-ietf] SPF doesn't accommodate third level .name domains?
william@leibzon.org Fri, 03 June 2022 20:57 UTC
Return-Path: <william@leibzon.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2692C14F740 for <spfbis@ietfa.amsl.com>; Fri, 3 Jun 2022 13:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.925
X-Spam-Level:
X-Spam-Status: No, score=-6.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3koWkkwOTLxo for <spfbis@ietfa.amsl.com>; Fri, 3 Jun 2022 13:57:12 -0700 (PDT)
Received: from relay4.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B30B5C14F747 for <spfbis@ietf.org>; Fri, 3 Jun 2022 13:56:43 -0700 (PDT)
Received: from omf03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 0A838209E5; Fri, 3 Jun 2022 20:56:42 +0000 (UTC)
Received: from [HIDDEN] (Authenticated sender: william@leibzon.org) by omf03.hostedemail.com (Postfix) with ESMTPA id 8B6ED6000C; Fri, 3 Jun 2022 20:56:41 +0000 (UTC)
MIME-Version: 1.0
Date: Fri, 03 Jun 2022 13:56:41 -0700
From: william@leibzon.org
To: spfbis@ietf.org
Cc: dw@thedave.ca, John Levine <johnl@taugh.com>
In-Reply-To: <20220603200204.3442942E787F@ary.qy>
References: <20220603200204.3442942E787F@ary.qy>
Message-ID: <1d278d13a8520bd82ae8b3166a3a3613@leibzon.org>
X-Sender: william@leibzon.org
Content-Type: multipart/alternative; boundary="=_90904d2cd53a07e66e8bb2123e4641f9"
X-Rspamd-Server: rspamout05
X-Rspamd-Queue-Id: 8B6ED6000C
X-Stat-Signature: h6zxaaqqkmgtswp5o383ymbnhkkwpzgg
X-Session-Marker: 77696C6C69616D406C6569627A6F6E2E6F7267
X-Session-ID: U2FsdGVkX18c/OwW82V0tUbqfbqndiITJJ6Lm2UdoAY=
X-HE-Tag: 1654289801-503442
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/PIHi83UWxpNYkd7IfuICfRhD_JA>
Subject: Re: [spfbis] [dmarc-ietf] SPF doesn't accommodate third level .name domains?
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2022 20:57:16 -0000
While _spf suffix is cleaner and good practice it is not even necessary.
It would be enough to just have:
bustos.name. IN TXT "v=spf1 include:%{l}.bustos.name ?all
Seems to me users should be responsible for maintaining their SPF
records under .name subdomains which this person does:
;; ANSWER SECTION:
david.bustos.name. 3600 IN TXT "v=spf1
include:spf.messagingengine.com ?all"
And .name could potentially even do it using a single catch-all TXT
record at .name root (I think it would work, correct me if not):
*.name. IN TXT "v=spf1 include:%{l}.%{o} ?all"
I doubt .name wants it universally for all its subdomains though.
To be fair, this is hardly the first time someone finds that when they
use another email provider for reading and sending emails but have a
forwarded email address, they may have issues. Google had allowed it for
a long time but recently changed it so that when you use them for email
and want to reply back from another (forwarded) email address, you must
provide google the SMTP server authentication information for your email
provider and they then forward email through them first. One of the
reasons may have been that many people did not have SPF records that
included google servers.
On 2022-06-03 13:02, John Levine wrote:
> [[ replies once again directed to spfbis ]]
>
>> SPF should be able to handle this situation using macros anyway:
>>
>> bustos.name. IN TXT "v=spf1 include:%{l}._spf.bustos.name -all"
>> david._spf.bustos.name. IN TXT "v=spf1
>> redirect=david's-email-provider"
>
> Except, as we may have mentioned a few times, the .name ICANN contract
> has no provision for adding SPF records like this. The registry only
> forwards incoming mail. It doesn't handle outgoing mail.
>
> Since they've been forwarding incoming .name mail for 20 years, and
> this is the first
> time we've seen a complaint about outgoing .name mail, perhaps this is
> not a problem
> that needs solving.
>
> If David used david@david.bustos.name, the domain would point to his
> own nameservers
> and he can do whatever SPF, DKIM, or DMARC he wants. Or if it wants a
> 2LD, he could
> get davidbustos.name and manage the NS. What you can't do is manage
> the NS on a .name
> 2LD which is a last name.
>
> R's,
> John
>
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis