On Wed, Jun 30, 2004 at 09:21:47PM +0100, Roy Badami wrote:
|
| OK, here's what I see as the probems with Unified SPF (as I understand
| the proposal) as compared with using SenderID in conjunction with
| CSV/CSA.
|
| A complex SPF record may reference many different providers,
| whereas a particular HELO string will typically come from a
| specific MTA. The big problem though is when an SPF record ends in
| ?all or ~all. It is counterproductive to encourage people to use
| this same record for HELO checks. You may not know all the MTAs
| that might sometimes originate mail for your domain, but HELO
| strings typically identify individual MTAs, and you almost
| certainly know the exact list of IP addresses in use by a specific
| MTA under your control. Encouraging people to relax the HELO check
| just because they don't feel comfortable with a strict PRA (or MAIL
| FROM) check is undesirable.
|
The problem statement seems to assume that domain names used
in MAIL FROM will overlap with domain names seen in HELO.
If I read this assumption wrongly, please correct me.
HELO domain.com
MAIL FROM:<user(_at_)domain(_dot_)com>
In this situation, an SPF record could easily become
unnecessarily complex for HELO purposes.
domain.com. TXT "v=spf1 include:this include:that a mx ?all"
If the domain admin changes the HELO string to be:
HELO mta1.domain.com
MAIL FROM:<user(_at_)domain(_dot_)com>
Then the problem goes away.
mta1.domain.com. TXT "v=spf1 a -all"
domain.com. TXT "v=spf1 include:this include:that a mx ?all"
Is that any better?