Yeah. Too bad that among SPF's many flaws is that it completely
confuses the HELO domain and the MAIL FROM domain
No it does not. It checks each independently. See my previous post to your
question.
Could you show me the SPF records I would use to indicate that
mta.example,com is valid as an EHLO but not as a bounce address domain
while example.com is a valid bounce address domain but not an EHLO. If
it'll help, assume they both have an A record of 12.34.56.78.
(and on a bad day,
the domains in From:, Sender:, Resent-From:, and Resent-Sender:.)
SPF never does that, please do not confuse PRA with SPF.
In real life, lots of people use SPF records for PRA, and there was a loud
debate before coming to a consensus that the alternative of throwing
everything away and starting over was unworkable. I sure wish the SPF
crowd had a better institutional memory.
R's,
John