On Fri, Nov 17, 2006 at 09:33:52PM -0400, Marc G. Fournier wrote:
> > client end_. So they don't affect you, but they cause a lot of
> > processing by someone else.
>
> But isn't that only if the receiving end has implemented an SPF policy? SPF
> records aren't even checked if postfix (or the other MTAs) are configured to
> check for it ... no?
That's the point. If Doug Otis is right, by _you implementing_ SPF,
you become the potential source for a large-multiple amplification
DoS attack, on someone who is checking SPF. If your response is,
"Well, they shouldn't check SPF then," my question is then, "So why
put the record in DNS?"
In any case, SPF is _experimental_. Experimental protocols are
released that way because there is significant suggestion in the
community that the protocol might actually be harmful to the
Internet.
> 'lack of a clue' seems to be a bad reason to not use SPF, no?
No. The DNS is a distributed database used by everyone on the
Internet, the users of which you don't even know and cannot be sure
you can learn about. If there is any place at all to be conservative
in what you send, it's the DNS.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
If they don't do anything, we don't need their acronym.
--Josh Hamilton, on the US FEMA
