Re: [Exim] exiscan-acl-4.24-22 - SPF support

On Thu, 2004-05-27 at 13:49 +0100, Mike Meredith wrote:
> On Wed, 26 May 2004 17:43:38 +0100, David Woodhouse wrote:
> > On Wed, 2004-05-26 at 16:48 +0100, Tim Jackson wrote:
> > > SPF is an utterly stupid, broken idea. The only conceivable use I can
> > > see of SPFv1 is to publish records saying "this domain does not send
> > > mail, ever".
> >
> > Which, if we're going to have to change the way the whole world works
> > anyway, can be far better achieved by removing the old hack to look at A
> > records if there are no MX records.
>
> Surely getting rid of fallback to A records cures an entirely different
> problem ?. A "-all" record says don't accept mail from this domain; removing
> an MX record (without fallback to A records) says don't deliver mail to this
> domain.

Some people will accept _any_ crap you send to them. Those with a
modicum of clue will refuse to accept mail from a domain to which they
cannot send bounces -- so saying "don't deliver mail to this domain" is,
in the case we care about most, fairly much equivalent to saying "don't
accept mail from this domain".

In a world without fallback to A records, setting up the DNS without an
MX record for the domain in question would cause even a simple
'require verify=sender' ACL without callouts to fail. That's a
reasonably strong hint to the effect that "this domain does not send
mail, ever".

But yes, an SPF record containing _only_ '-all' is a reasonable enough
way of imparting the same information.

The 'nutters' of whom I speak are those who end an SPF record with
'-all' for any domain which _does_ ever send email.

--
dwmw2