Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Well, much of the migration criteria has been "not worse than". https://www.wiki.balug.org/wiki/doku.php?id=balug:mail_and_lists ... much to be improved, but fair bit of that will come later. First of all, for the lists, the sending domain is temp.balug.org, not balug.org.
I see no reason why you couldn't declare an SPF RR for a subdomain. I've just never to date had a need to do so, on my systems.
If you need to say 'trust the A host, the MX host, and this list of additional IPs', that can be done trivially, too. From memory, you include something like 'ipv4:66.33.216.72'.
Frankly, I'd not bother declaring specific SPF RRs for subdomains. KISS. Have a single txt record for the domain, and just put everything in it that is necessary to include all SMTP senders you wish to authorise, including both mailing list locations.
It's really not difficult.
Will probably add the SPF & TXT records to lists.balug.org. once that gets moved over.
No, for the love of ghod, no.
First of all, nobody uses the dedicated SPF RR. Everyone uses TXT. The dedicated RR was a nonstarter.
Second, you don't need friggin' multiple records. Just the one. And there's no conceivable reason not to do it now.
I mean, why delay? Are you saying we don't know what the authorised sending SMTP hosts are (the ones we want to declare authorised) for domain balug.org? Is it a mystery? (Note: Hypothetical Dreamhost changes are addressed below.) Is there some presently unknown MTA in the South Seas that we wish to be able to believably forge balug.org as a sending domain going forward?
No? Then we should have an SPF RR for the domain. Now.
Add one line to the zonefile, roll the S/N, reload the zone, done.
Also, for a lot of such stuff, before it's moved over, trying to "fix"/improve is about double (or more) work, as it has to be done in two places.
And since I can't control all of what DreamHost.com does, making some changes there also risks possibly causing severe breakage.
No, it doesn't. If you're worried about Dreamhost suddenly and in the near futher moving where its authorised SMTP sender is for lists.balug.org to a new IP, you can use the SPF RR "include" directive to incorporate _their_ SPF RR by reference.
include:dreamhost.com
http://www.openspf.org/SPF_Record_Syntax
And yes, I did check to verify that they have such an RR.
:r! dig -t txt dreamhost.com +short "MS=ms82701515" "v=spf1 ip4:62.229.62.0/24 ip4:69.64.144.0/20 ip4:98.124.192.0/18 ip4:66.33.206.0/24 ip4:66.33.195.34 ip4:208.113.189.254 ip4:208.113.200.0/24 ip4:66.33.216.0/24 ip4:208.97.187.128/25 ip4:64.90.62.0/24 ip4:64.90.63.0/25 ip4:64.90.63.128/26 include:_spf.goo" "gle.com include:relay.mailchannels.net include:sendgrid.net ~ALL"
Notice that they use include options so they can authorise several external senders whose DNS and IP assignments are not under their control.
C'mon, Michael. Sheesh. ;->