It’s DNS Jim, but not as we know it
by Andrew Macpherson on Jun.09, 2009, under E-Mail hosting, Operations, SPF the Sender Policy Framework
Shortcuts make life easier for us. For administrators configuring DNS there is a great shortcut which tells the program reading the zone where it is. This lets the administrator leave off the domain part of the thing they’re configuring.
OK that sounds complicated, so let’s give an example – if in a DNS file I were to write
$ORIGIN X.com.
then a few lines later I can say “mail
” and “mail.X.com.
” will be understood. Well and good, though often a source of problems when someone leaves off a terminating ‘.’ and gets the domain added on where they were not expecting it.
SPF also has a chance to get messed up here. Today’s gem was a record with
"v=spf1 mx a:ironport a:sandberg"
which makes one think the administrator setting it up was expecting that shorthand to apply to those ‘a:’ elements. It’s not clear what they thought they were doing for non-matching source addresses, as they left off a closure element.
"v=spf1 mx a:ironport.X.com a:sandberg.X.com -all"
was of course what they meant, but the software isn’t meant to follow inferences, rather it fails their SPF validation with a permanent error.