Meng Weng Wong wrote:
if (helo domain has an spf record
AND
spf record indicates scope=...,helo,...
) THEN
honour SPF record for domain
So we want to restrict the use of mail.baschny.de.
mail.baschny.de TXT "v=spf1 scope=mailfrom,helo a -all"
That way, SPF clients that understand "scope=helo" semantics will
always
do a lookup on FQDN helo, and if they get back a scope=helo, they will
honour the SPF record. If they do not get a scope=helo, they will
proceed as usual, to check the return-path.
Sorry, disregard my last message, this is exactly what I was asking
about... So the actual DNS query would happen at HELO which the result
of would determine whether or not to apply the check to the HELO string,
then if it is not applied or applied with a non-fail, it would continue
to check the MAIL FROM. This sounds reasonable.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.