----- Original Message -----
From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
Sent: Saturday, December 04, 2004 2:00 AM
Subject: Re: A new SMTP "3821"
It's IMHO obvious that the receiver can check these IPs only at
one of his border MXs, not later in his routing. "Forwarding
to third parties" is only one special case of any "later in his
routing". The essence of SPF is KISS.
This is where possibly a HELO checking methodology works best because at
the transition/route, it is presumed it be trusted by the local network
EHLO validation is orthogonal to MAIL FROM validation, for
the simple reason that they're separate fields, and there's
not requirement for the same domain name to appear in both.
If the HELO domain is also used in a MAIL FROM:<user(_at_)domain> -
not necessarily by the same MTAs - then it makes sense to join
the sets of corresponding IPs in one SPF sender policy for all
receivers using SPF to control their borders.
You could also combine it with other schemes, and if the other
scheme says "bad HELO" skip all SPF tests and reject all mails.
If the other scheme says "good HELO" you could skip SPF HELO
tests (that's not explained in the SPF draft, it's obvious ;-)
but still do SPF MAIL FROM tests.
Good point on mixed policies.
I'll repost my link to my early work on LMAP validation and trust analysis.
It became the basis for our current SMTP design: