Hi Patrik,
On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <paf@xxxxxxxxxx> wrote:
On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <paf@xxxxxxxxxx> wrote:
What we did look at was first of all every query for an MX resource record. Then we look at +/-1 second from the timestamp of that MX query for TXT and/or SPF record for the same owner. We draw the conclusion that if there is a query for an MX record, and then either TXT or SPF (or both) within the approximately same timespan, then they are related queries.
I'm not sure that's a valid conclusion. Since MX is needed only for a sending system, a receiving system doing an SPF check of either type has no reason to query for MX. The exception to this might be a heuristic check to see if the domain in the MAIL FROM has MX or A published such that a reply appears to be possible, but I wouldn't expect a strong correlation in your data.
-MSK