Theo Schlossnagle wrote:
My understanding was that SPF allows you to determine which hosts are
permitted to send mail with envelopes like @domaininquestion.com. The
above argument says that SPF allows a host to dictate that. It's
backwards.
Specifically my email address is not @mail.omniti.com -- so, it would
be reasonable to add a: mail.omniti.com IN TXT "v=spf1 -all" record.
As no legitimate mail should have an envelope sender with the domain
@mail.omniti.com. But my mail server damn well better be able to send
mail, and it should be able to use mail.omniti.com as it's EHLO
argument...
I agree that the original goal of SPF was to define authorized hosts
that are able to send as a given envelope domain, however I believe the
scope of SPF has widened slightly, and is even reflected in the new
acronym definition "Sender Policy Framework". I consider the HELO
string to be "sender information", and since your domain can potentially
be spoofed by someone else (and potentially end up in the headers), it
should be subject to the domain's sender policy.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.