Am 22.10.2015 um 00:08 schrieb Bill Cole:
I don't believe so and there's no reason to. CNAME records trump all DNS
record types for a name so it may be usually unwise to have a CNAME
record for a name that is used in email address domain parts, but it
isn't inherently wrong.
A name which is resolved by a CNAME record to a canonical name is
forbidden as the result in MX and NS records to prevent resolution
loops. That rationally SHOULD be banned for CNAME records as well, but
we're decades past the time to argue that.
On 22.10.15 00:19, Reindl Harald wrote:
no it should NOT
otherwise you would not be able to set a SPF-record for your CNAMES
and "reject_unknown_sender_domain" won't hit for a forged subdomain
because it exists - so SPF *must* work for CNAMES or the whole
intention for HELO SPF would not work
I don't get this. HELO must be canonical name, so it must not be CNAME.
Thus, there's no need to follow CNAMEs in SPF when checking for HELO.
when you check HELO, the CNAME should be treated as error.
- a wise DNS/SPF setup has
"v=spf1 -all" for any A-record not used for email and so any CNAME
pointing to that A-record has the same SPF result with no holes to
abuse
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
