In <20050526142311(_dot_)O9890(_at_)simone(_dot_)iecc(_dot_)com> "John L"
<johnl(_at_)iecc(_dot_)com> writes:
Yeah. Too bad that among SPF's many flaws is that it completely
confuses the HELO domain and the MAIL FROM domain
No it does not. It checks each independently. See my previous post
to your question.
Could you show me the SPF records I would use to indicate that
mta.example,com is valid as an EHLO but not as a bounce address domain
while example.com is a valid bounce address domain but not an EHLO.
If it'll help, assume they both have an A record of 12.34.56.78.
I'll start off by not answering your quesiton. ;-)
Personally, I would recommend just publishing these SPF records:
example.com TXT "v=spf a -all"
mta.example.com TXT "v=spf a -all"
If you trust the host 12.34.56.78 enough to authorize it to use both
the example.com and mta.example.com domain names, why wouldn't you
trust it enough to use them in the right context?
Ok, now I'll actually answer your question:
example.com TXT "v=spf1 redirect=%{i}._spf.%{d}"
postmaster._spf.example.com TXT "v=spf1 -all"
*._spf.example.com TXT "v=spf1 a -all"
mta.example.com TXT "v=spf1 redirect=%{i}._spf.%{d}"
postmaster._spf.mta.example.com TXT "v=spf1 a -all"
*._spf.mta.example.com TXT "v=spf1 -all"
ugly as sin, and it means that you can't send email using the
postmaster local part, but other wise it works and is well defined
back to Dec 2003 (or earlier).
-wayne