Seth Goodman wrote:
[Dustin D. Trammell]
I agree that the original goal of SPF was to define authorized hosts
that are able to send as a given envelope domain, however I
believe the
scope of SPF has widened slightly, and is even reflected in the new
acronym definition "Sender Policy Framework". I consider the HELO
string to be "sender information", and since your domain can
potentially be spoofed by someone else (and potentially end up in
the headers), it should be subject to the domain's sender policy.
Maybe we should stop putting HELO information in the received headers
and just stick with the IP and rDNS result? Does that violate any
RFC's or is this just current practice?
I agree with that position as well. I believe someone posted to the
list earlier that including the HELO in the headers is NOT required, but
is just current practice. The problem with this is, you must get all
the MTA's that do this to change their behavior.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.