Could you show me the SPF records I would use to indicate that
mta.example.com is valid as an EHLO but not as a bounce address domain
while example.com is a valid bounce address domain but not an EHLO. If
it'll help, assume they both have an A record of 12.34.56.78.
You cannot with SPFv1 (based on your assumption). You missed the point: It
doesn't matter, primarily the HELO is only checked if the MAIL FROM fails.
A pass from the HELO or MAIL FROM results in SPF PASS status.
My point, which I would have thought was obvious, is that SPF provides no
way to say that EHLO example.com or MAIL FROM:<foo(_at_)mta(_dot_)example(_dot_)com> are
invalid. In practice, I see quite a lot of forged mail like that, and
SPF's inability to deal with it is a significant problem.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for
Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.