----- Original Message -----
From: "Meng Weng Wong" <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, February 24, 2004 12:08 PM
Subject: Re: [spf-discuss] how to protect the HELO using SPF
On Tue, Feb 24, 2004 at 11:59:48AM -0500, Meng Weng Wong wrote:
|
| Let's find a way to express the desired new functionality in the
| existing syntax.
|
| perhaps scope=mailfrom,helo?
|
if (helo domain has an spf record
AND
spf record indicates scope=...,helo,...
) THEN
honour SPF record for domain
Using pareto's principle as a guideline, the majority of systems will have a
domain name that is reflective of their organization.
The SPF helo domain lookup should be the one base domain name
So for a HELO/EHO subdomain.domain.com, the SPF lookup shouldl be based on
domain.com and then allow it to describe the policy.
So the syntax should be:
if ((from == NULL) or (from domain != helo domain.com)) then
if (spf helo domain.com = fail) then
exit fail
end if
end
process spf from domain
why?
because if the two domains are the same, then you just need to check the
return path.
If they are not the same, then that is where you begin to check the helo.
However, the benefit of SPF over DMP is that you don't need to have hundreds
of TXT records for each subdomain.
Now you can has a single SPF record (or per different domain (not
sub-domains)). The SPF client algorytm will know which "state" it is
operating on HELO or FROM.
But more importantly, I think the policy should emphasize Local vs Remote
HELO/EHLO domain checking.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com