spf-discuss
[Top] [All Lists]

Re: how to protect the HELO using SPF

2004-02-24 10:08:43
On Tue, Feb 24, 2004 at 11:59:48AM -0500, Meng Weng Wong wrote:
| 
| Let's find a way to express the desired new functionality in the
| existing syntax.
| 
| perhaps scope=mailfrom,helo?
| 

if (helo domain has an spf record
    AND
    spf record indicates scope=...,helo,...
   ) THEN
      honour SPF record for domain

So we want to restrict the use of mail.baschny.de.

  mail.baschny.de TXT "v=spf1 scope=mailfrom,helo a -all"

That way, SPF clients that understand "scope=helo" semantics will always
do a lookup on FQDN helo, and if they get back a scope=helo, they will
honour the SPF record.  If they do not get a scope=helo, they will
proceed as usual, to check the return-path.

This accommodates people who want to protect their HELOs and the people
who do not.  By default, people are assumed to not want to protect their
HELOs; this position is necessary because of the rfc SHOULD vs MUST syntax.