_auth Record Keywords
All words in an _auth record are case-insensitive
helo= A, MX, SPF, or ip4 CIDR blocks (/24) and ranges (216-8)
service= Rating services
method= Authentication methods
option= Optional parameters
Registry Record Syntax and Semantics
& Continuation character, up to 10 additional records, each with a single TXT string < 256 characters, including the & at the end.
=========== Level One Keywords ===========
svc= Rating services
mth= Authentication methods
opt= Optional parameters
ip4= ip4 blocks as ranges (216-8) or CIDR notation (/24)
ip6= ip6 blocks in :: notation
============ mth blocks ==============
mth=SPF+5,DKIM+3 kw+num,kw+num ...
kw = CSV, SPF, SID, or DKIM
num is the maximum number of DNS queries needed to run the method.
============ svc blocks ==============
svc=S1:A,H2:B name:rating,name:rating, ...
Ratings can be a single letter, or an integer up to 3 digits.
Special Names:
X1: The default rating service, based on an average of reports from selected
receivers. Objective data only. This may be modified to factor in total volume,
but anything involving human judgement should be left to the Rating Services.
VX:<ID> Example VX:aol.com
This is a claim that <ID> will vouch for the sender. The claim must be
verified with a query to the vouching ID. If example.org has an authentication
record saying "svc=VX:aol.com", this can be verified with a query to
_vouch.example.org.aol.com.
============ opt blocks ==============
opt=df:3,stop:all,IDlevel:3
df: This is a default record, ID status 1...8, default is 9
stop: There are no servers authorized to use this ID.
IDlevel: Authentication and reputation records will be kept at a lower level
under this domain name. Used for .us .uk and other country codes.
IDstatus = None # No ID or invalid ID
# 0: Unknown ID
# 1..6: IDs with default records, varying confidence.
# 7..8: IDs with authoritative records, allowing REJECT
# 9: Authoritative record of a Registered Sender.
The above groups are stable, but further refinement within each group is still
ongoing. Here are some possibilities from recent implementations:
# 3: New record, may be missing some IPs.
# No PASS or FAIL, accumulate stats only.
# 6: Mature record, no new IPs for a long time.
# PASS if IP match. No FAIL. Stats on all.
# 9: Authoritative record of a registered sender.
# 8: Same as 9, but sender has not registered. They have simply published a
# valid _auth record under their Identity.
# 7: Sender has no _auth record, but has published an unambiguous list of their
authorized transmitters, e.g. an SPF record ending in "-all".
# 2: ID with matching PTR record
# 3..5: Transitional records, accumulating IP blocks.
# 6: Mature record. Still can't reject forgeries,
# but OK for whitelisting.
# IDstatus: 0 1 2 3 4 5 6 7 8 9
# auth_status Action:
# = 0 x x x Reject
# = 9 x x x x x Whitelist
# < 9 x x x DNShunt
auth_status is 0 for FAIL, 9 for PASS, and < 9 for anything else.
Reject at HELO is done only for IDs with authoritative records (7..9).
Whitelisting is available for IDs with mature records.
DNS hunts are done as a fallback for IDs that are important, but their records are
not yet mature.