)On Mon, 12 Jan 2009, Alessandro Vesely wrote:
We need a way to use *one record* for both the MAIL FROM and HELO checks.
Very few domains publish SPF records for each and every HELO name. I
believe "evangelism" will ever change that.
That is trivial too. You can pick any name you wish for HELO, including
a domain the same as MAIL FROM.
However, doing so discards the possibility to use the helo name as a "better
and cheaper rDNS", that you mentioned earlier in this thread. In addition, the
sender would fail those draconian HELO-to-DNS checks, if the MAIL FROM domain
doesn't have the corresponding A record.
Yes, I don't recommend the practice. But it *is* the only way to
have one SPF record for both MAIL FROM and HELO domains (by making them
the same domain). If anything, that should underscore why you don't
really want the same MAIL FROM and HELO policy.
If you have lots of MTAs behind a NAT, then wildcards could do the trick:
*.example.com TXT "v=spf1 a -all"
*.example.com A 188.8.131.52
If they all have different IPs, then a script or smarter authoritative
DNS (PowerDNS) is in order.
The point is, there is no big problem that a competent admin can't easily
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com