Publish an SPF record for scripts.mit.edu / get scripts.mit.edu DNS delegation

[andersk]

According to the ​Messaging Anti-Abuse Working Group, all outgoing email providers should publish ​SPF records for mailing domains. We should try to publish SPF records for scripts.mit.edu and scripts-vhosts.mit.edu.

It is not as easy to publish SPF records (which are DNS TXT records) at MIT as it is elsewhere, and it would be a particular pain if we had to change it frequently, but we have a few options.

• Publish "v=spf1 a:scripts1.mit.edu … a:scripts8.mit.edu -all" and assume it won’t need to change frequently—eight servers will almost certainly last for a long time.
• Ask for DNS delegation for scripts.mit.edu (which would be nice for other reasons, especially if we want to do per-locker load balancing some day).
• Publish "v=spf1 redirect=scripts.sipb.org" or something so we can serve the real record from elsewhere.
• Publish a lame SPF record like "v=spf1 ip4:18.181.0.0/16 -all".

[geofft]

We could also get more IPs now and publish "v=spf1 a:scripts1.mit.edu ... a:scripts16.mit.edu".

But I think I agree that scripts8 should last us for long enough (and updates aren't so hard) that we should just ask for the scripts1-scripts8 SPF record now.

[ezyang]

Also, delegation means we could make www. prefixes automatically work.

[andersk]

Replying to ezyang:

Also, delegation means we could make www. prefixes automatically work.

No, we could do that without delegation. But I don’t think we want to. If you think we do, let’s discuss that elsewhere.