"Meng" == Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
writes:
Meng> The problem statement seems to assume that domain names used
Meng> in MAIL FROM will overlap with domain names seen in HELO.
Meng> If I read this assumption wrongly, please correct me.
Meng> HELO domain.com
Meng> MAIL FROM:<user(_at_)domain(_dot_)com>
Actually, I was assuming that the above case is uncommon. Though we
probably need to address it.
Meng> If the domain admin changes the HELO string to be:
Meng> HELO mta1.domain.com MAIL FROM:<user(_at_)domain(_dot_)com>
Meng> Then the problem goes away.
Meng> mta1.domain.com. TXT "v=spf1 a -all"
Meng> domain.com. TXT "v=spf1 include:this include:that a mx ?all"
Which (almost) boils down to CSV, but using SPF syntax instead of SRV
records.
I have to say that I hadn't realized this was the intent of Unified
SPF.
If you're expecting to have separate records for the HELO identitiy
and other identities, then I don't see the advantage of making them
both generic. The first of your TXT records should be clearly for
HELO use only, and the second should be clearly for PRA and MAIL FROM.
As it stands, your example still allows anyone to forge a HELO domain.com
-roy